I was interested in attempting Blueprint because this is listed as a Windows machine on THM without really any other information. Though I have worked hacking Windows machines, most of my experience has been around Linux. Im interested to see what all I notice is different since it has been awhile since my last Windows box.
Starting with an nmap scan and directory fuzzing (if it is running a web-server to see what we get right away) Im not getting anything with default scripts with a TCP scan. Neither is the directory fuzzing giving me anything. Changing to a SYN scan I get:
I also moved my fuzzing to port 8080 by a guess since so many proxies will use this port, and that is confirmed with my scan and gobuster results. I ran a scan again with scripts to see if I can get a better look at what services are running and we can see we have a web server, msrpc, a SQL server and SMB over 445 and 139 (possibly an eternal blue exploit??).
Going to our 8080 address we find
Looking up oscommerce 2.3.4 I am able to see there are multiple vulnerabilities that can be exploited. Lets try this route and see if we can come up with anything. I first tried a CSRF exploit with the language PHP file with pass-thru but was getting an “Access Forbidden” error. Lets try to do another directory scan under oscommerce/catalog specifically to see what we find.
Looking at the RCE exploits available for oscommerce we see it re-installs the install.php page with our own PHP payload. Since we see the install directory was left in in the initial install, this could be a solid route to take.
The idea behind this route was to reinstall the oscommerce application while including my injected code. I gave it a shot with a php reverse shell but kept getting a parsing error in the configuration file that was being uploaded. After a few hours of trying to get this to work I decided to go another route; there is another arbitrary file upload vulnerability leveraging default settings on oscommerce.
In this exploit, we can create a privileged user and initialize a new database to upload a file to. Navigating to the catalog/install directory we see the following page, allowing us to continue.
After creating a new user I can run the exploit, uploading a simple PHP passthru script and authenticating as our new “admin” user. Now I can send commands.
Since we are able to test that proof of concept, lets use msvenom to make a .exe reverse shell payload to send over. We can use the same exploit, then directing to the passthru.php page sent earlier we can call the reverse shell and catch it on our local machine.
Since this is a Windows machine and the first question on THM is to grab a decoded NTLM hash, I decided to give mimikatz a try, as I have never actually used this before but have heard tons about it (I know, Im late to the game). There’s a few cute commands such as the answer to the universe, but we can use this to dump the SAM NTLM hashes.
Trying to save time I threw them in Crack Station to see if any are able to be pulled out and we see “Lab”s is! With those credentials we can answer the first question, and navigate to the Administrator desktop as usual to find the root.txt!
This one took me awhile mostly due to a ton of events in my personal life pulling me away and just bad timing. But I had a ton of fun as I don’t usually work with Windows machines for CTF’s. Mimikatz was useful in this but I intend to explore it more as I know it is much more complex than what I used it for today. I believe this could have been completed faster with Metasploit’s meterpreter and the oscommerce RCE exploit, and I will have to try it again with that path another time! I hope this walkthrough helped you and thank you for reading!