Blueprint - wook413

#tryhackme #windows #easy ![[Pasted image 20250712152840.png]] --- # Information Gathering - Nmap As always I began with TCP scan against all 65,535 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 13:40 CDT Nmap scan report for 10.10.85.60 Host is up (0.14s latency). Not shown: 33670 filtered tcp ports (no-response), 31852 closed tcp ports (reset) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 8080/tcp open http-proxy 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49158/tcp open unknown 49159/tcp open unknown 49160/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 54.45 seconds ``` Then I ran a more detailed TCP scan against with `-sCV` options against the ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,135,139,443,445,3306,8080,49152,49153,49154,49158,49159,49160 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 13:42 CDT Nmap scan report for 10.10.85.60 Host is up (0.28s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-IIS/7.5 |_http-title: 404 - File or directory not found. | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) | http-methods: |_ Potentially risky methods: TRACE |_ssl-date: TLS randomness does not represent time |_http-title: Index of / |_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28 | tls-alpn: |_ http/1.1 | http-ls: Volume / | SIZE TIME FILENAME | - 2019-04-11 22:52 oscommerce-2.3.4/ | - 2019-04-11 22:52 oscommerce-2.3.4/catalog/ | - 2019-04-11 22:52 oscommerce-2.3.4/docs/ |_ | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 445/tcp open microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized) 8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) |_http-title: Index of / | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28 | http-ls: Volume / | SIZE TIME FILENAME | - 2019-04-11 22:52 oscommerce-2.3.4/ | - 2019-04-11 22:52 oscommerce-2.3.4/catalog/ | - 2019-04-11 22:52 oscommerce-2.3.4/docs/ |_ 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -20m05s, deviation: 34m37s, median: -7s | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required |_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:14:e3:20:9d:51 (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1 | Computer name: BLUEPRINT | NetBIOS computer name: BLUEPRINT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-07-12T19:44:00+01:00 | smb2-time: | date: 2025-07-12T18:44:01 |_ start_date: 2025-07-12T18:26:57 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 80.09 seconds ``` Lastly, a UDP scan against top 10 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 13:49 CDT Nmap scan report for 10.10.85.60 Host is up (0.29s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp open|filtered ntp 135/udp closed msrpc 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds ``` --- # Enumeration - SMB `smbclient` revealed somes shares that are worth exploring for potentially juicy information. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Users Disk Windows Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.85.60 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` I was able to connect to `Users` share but unfortunately it didnt seem to contain juicy information. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient //$IP/Users Password for [WORKGROUP\parallels]: Try "help" to get a list of possible commands. smb: \> dir . DR 0 Thu Apr 11 17:36:40 2019 .. DR 0 Thu Apr 11 17:36:40 2019 Default DHR 0 Tue Jul 14 02:17:20 2009 desktop.ini AHS 174 Mon Jul 13 23:41:57 2009 Public DR 0 Mon Jul 13 23:41:57 2009 7863807 blocks of size 4096. 4763024 blocks available ``` I tried Nmap's `smb-enum-users` script against the port 445. To my surprise, it revealed not only the share but also the users who belong to the share! - `BLUEPRINT\Administrator` - `BLUEPRINT\Guest` - `BLUEPRINT\Lab` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -p 445 --script smb-enum-users $IP Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-12 14:30 CDT Nmap scan report for 10.10.85.60 Host is up (0.30s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-users: | BLUEPRINT\Administrator (RID: 500) | Description: Built-in account for administering the computer/domain | Flags: Normal user account, Password does not expire | BLUEPRINT\Guest (RID: 501) | Description: Built-in account for guest access to the computer/domain | Flags: Normal user account, Password does not expire, Password not required | BLUEPRINT\Lab (RID: 1000) | Full name: Steve |_ Flags: Normal user account Nmap done: 1 IP address (1 host up) scanned in 11.97 seconds ``` # Enumeration - HTTP/HTTPS Port 443 and 8080 serve the same content, including the osCommerce directory. ![[Pasted image 20250712140042.png]] ![[Pasted image 20250712140750.png]] I looked up `osCommerce 2.3.4` using `searchsploit` and found multiple known exploits to this specific version. I selected `osCommerce 2.3.4.1 - Remote Code Execution (2)`. ![[Pasted image 20250712143945.png]] The exploit doesn't require us to be authenticated. This explains this vulnerability is possible if `/install` directory wasn't removed by the admin. ![[Pasted image 20250712144356.png]] Looks like our `/install` directory was never removed by admin. Let's try exploit this vulnerability with out downloaded poc. ![[Pasted image 20250712144526.png]] We are automatically logged in as `nt authority\system` user. Well, I didn't see that coming. ![[Pasted image 20250712144759.png]] Since I am logged in as `nt authority\system`, I was able to access the Administrator directory and read `root.txt` ```powershell RCE_SHELL$ C:\Users\Administrator\Desktop && dir Volume in drive C has no label. Volume Serial Number is 14AF-C52C Directory of C:\Users\Administrator\Desktop 11/27/2019 07:15 PM <DIR> . 11/27/2019 07:15 PM <DIR> .. 11/27/2019 07:15 PM 37 root.txt.txt 1 File(s) 37 bytes 2 Dir(s) 19,495,354,368 bytes free RCE_SHELL$ cd C:\Users\Administrator\Desktop && type root.txt.txt THM{aea... ``` I still have to get NTLM hash of `Lab` user and type in the decrypted value of that hash to finish this machine. ![[Pasted image 20250712150641.png]] The `dir` command shows that we are currently in the `/catalog/install/includes` directory. ![[Pasted image 20250712150802.png]] Luckily, I can access this directory through my local Kali browser. ![[Pasted image 20250712150838.png]] I used `reg.exe save` command to copy those `save, system, and security` registry hives. ![[Pasted image 20250712151438.png]] I navigated back to `/catalog/install/includes` via web browser in my local Kali and confirmed they are present and accessible. ![[Pasted image 20250712151552.png]] with `secretsdump.py`, I was able to extract the NTLM hash of the stored accounts. ![[Pasted image 20250712151949.png]] hash password cracked with `Crackstation.net` ![[Pasted image 20250712152759.png]]