Open in app

Sign in

Write

Sign in

Blueprint || TryHackMe WalkThrough

Nihir Zala
7 min readNov 9, 2023

--

[Stage 1] Enumeration/Reconnaissance

The first and very important step is Enumeration and Reconnaissance. We need to have as much information as possible to be able to hack into this machine. First we are going to use nmap to scan the ports of the target.

sudo nmap -sS -sV -sC -vv -T4 -Pn [targetMachineIP]

The results of the scan shows 13 open ports

and after the service scan(-sV) we have the following details about these ports

So we can see that at the ports 80, 443 and 8080 there is an http or ssl/http service. This mean that we can connect to these ports from our browser and see what content exists.

Investigating port 80/http service

Accessing port 80 through Firefox browser give us a 404 error.

http://[targetMachineIP]:80

Lets do a directory enumeration with gobuster. Maybe there is a hidden directory somewhere on this port.

gobuster dir -u http://[targetMachineIp] - w /usr/share/wordlists/dirb/big.txt

Directory enumeration was no luck. It seems that port 80 does not have anything useful.

Investigating port 443/ssl-http service

Accessing port 443 through Firefox browser we can see a 400 error. There is nothing hidden in the page’s source code and the links will not direct us anywhere useful.

https://[targetMachineIP]:443

Lets try gobuster again maybe we get lucky now.

It seems that there is a problem with the certificate. We have another port to investigate so we can continue and if we do not find an attack vector to gain access to the target machine we will come to this port again and try investigate more.

Investigating port 8080/http service

Accessing port 443 through Firefox browser we can see there is a file named “oscommerce-2.3.4

http://[targetMachineIP]:8080

So what is oscommerce-2.3.4? We can Google it!

From the results we can see that osCommerce is “a complete store solution that containts both a shop fronted and a administrator backed …” long story short this a online shop software. We can also see that there are RCE exploits for the 2.3.4.1 version. These exploits may be useful later ;-).

Ok now lets go back to the site and investigate these files.

oscommerce-2.3.4 directory

At oscommerce-2.3.4/catalog directory we can see a broken online shop with a lot of links. After investigating all these links and the page source code I did not find anything useful. Maybe you can find something and comment bellow, that would be awesome!

Inside /oscommerce-2.3.4/docs directory there is a bunch of stuff that you can read through if you want. Again I did not find anything of interest.

/oscommerce-2.3.4/docs directory

Lets also use gobuster on this port.

We found some directories but most of them are 403 status and the ones that are not are not useful.

Lets summarize what we have. We have an osCommerce software version 2.3.4, a bunch of directories in oscommerce-2.3.4 and a possible RCE exploit. With these data I think it is safe to try to use the RCE exploits.

[Stage 2]Exploitation

When we googled “oscommerce-2.3.4” we found some RCE exploits. To be exact we found 2 exploits EDB-ID 50128 and EDB-ID 44374.

We can start using exploit 44374 because is EBD Verified and if it does not work we cat use 55128. Using searchsploit from our kali machine we can find this script.

searchsploit 44374
searchsploit -m 44374.py

Lets open this script with vim and read through so we can understand how it works.

From the “Versions” sections we can see that it will work with 2.3.4 version of oscommerce. The comments states that “ If an Admin has not removed the /install/ directory … for an unauthenticated attacker to reinstall the page.” so lets test if the /install directory exits in our target machine. We can also see the target_url to help us find where the install directory might be.

Success this directory exist and might be exploitable. Lets read the rest of the code so we can tune the code to our needs. First of all we need to change the base_url and the target_url with the target machine IP and the right directories.

Further down we can see a payload.

These seems like a Linux POC payload but we know from the enumeration (and the description of this challenge 😛) that our target machine works with windows. After some search for php payloads I found that this payload will work like a charm from here. We just need to change the $ip parameter to our IP so we can get a reverse shell at port 1234.

In the end the payload look like this

As you can see we must modify the code a little bit. You can get the modified version of this from here( yes another very good writeup I encourage you to check it out) but you still need to put your IP to the $ip parameter.

Running the script

sudo python3 44374.py

First we need to open an netcat listener at port 1234.

nc -nlvp 1234

And then curl the URL that the script shows.

And BOOOM we are in! With Admin privileges.

Now we can answer the second question of this challenge. The root txt can be found on

dir C:\Users\Administrator\Desktop\root.txt.txt

For the first question we need to do more work. We need to extract the hashes from the target machine. If you try to search how to dump hashes from windows machine you will see methods using Mimikatz, Metasploit and many more sophisticated tools but in reality there is a more convenient, easy and less intrusive method.

To be able to dump the hashes we need 3 hives SAM, SECURITY and SYSTEM(I want to write an article about these hives, so if you are interest in stay tuned). We can get a copy from these hives with the following commands.We can save these copies to C:\xampp\htdocs\oscommerce-2.3.4\

reg.exe save hklm\sam C:\xampp\htdocs\oscommerce-2.3.4\sam.save
reg.exe save hklm\security[C:\xampp\htdocs\oscommerce-2.3.4\security.save
reg.exe save hklm\system C:\xampp\htdocs\oscommerce-2.3.4\system.save

Because we have access to this directory from our browser on our kali machine we can simply click on them and download these files so we do not need complex methodologies to transfer the files.

At our kali machine we can use the secretsdump.py from impacket to dump the hashes.

python3 secretsdump.py -sam /home/kali/Downloads/sam.save -security /home/kali/Downloads/security.save -system /home/kali/Downloads/system.save LOCAL

Thankyou For Reading!!!

Hope you doing a great hack if you have any questions & inquiries you can ask me on LinkedIn or Instagram.

Cybersecurity
Hacking
Tryhackme
Tryhackme Walkthrough
Ctf

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

37 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams