# Blueprint ![](/files/-McknpLwONNwiQb00Zm5) ## Scanning Nmap scan to find open ports ![](/files/-Mcknwt9VC866gKWiScG) Detailed nmap scan ![](/files/-Mckp90Ued9MKyOxGR2P) ## Enumeration We will start with http as we get a lot of information from here, we will first look at Port 8080 as Port 80 is showing a `404 file/directory` not found and Port 443 is https ### Port 8080: HTTP Lets visit the site ![](/files/-Mckqlg81CxnfhJZIOzN) We have the service and the version and a lot of information being displayed, lets check these directories. #### `/catalog` ![](/files/-MckrAo2BoztOlxcr9wo) Does not look like a well made website, well first lets search for exploits on this service on searchsploit ![](/files/-MckrX9Muwsbz4HHH3Uw) We have 7 exploits, the last two are the ones that are the most interesting, lets test them out. Lets copy these exploits to our directory and look at them at detail ![](/files/-McksIZo-xPMNTRKTKHQ) Lets rename the files so that we know what exploits they are ![](/files/-MckswkF0qbVdvqgAQpu) Now lets look at the Arbitrary File Upload exploit ![](/files/-McktCJZMI8eOPrxjuuV) Looking at the exploit , I highlighted the important lines , we are attacking the `/admin` directory, so we need a username and a password to login so that we can authenticate ourselves, but we do not have credentials, so we cannot use this exploit until we have credentials. Lets look at the Remote Code Execution exploit ![](/files/-McktmGVX2w47WZhp0F0) This exploit does not require any information from our side, so I think we can use this exploit, lets change the URL in the exploit to the IP of the victim machine and we also have to add port 8080 and change the version of oscommerce as ours is different. ![](/files/-Mco0lobXe1Rw2R6AbQN) ## Exploitation Now lets save the file and run the exploit. ![](/files/-Mckv0AgqGPQ5xlca6gY) Looks like the exploit was successful, lets visit this URL ![](/files/-MckvEu8aOFKYBYDtT5S) Oh, so `system()` has been disabled, lets go change it to `exec()` Before ![](/files/-MckvQ4ZwsGZC4Tuj0NT) After ![](/files/-MckvVt_QPBU5MY86x0U) Now lets run the exploit ![](/files/-MckvpCfgWkJcGVfCsrB) ![](/files/-MckvqzkSQROeffYRZD3) Ok, so we do not know if the code is being executed, so lets change the contents of the exploit and add code that will download a webshell onto the webserver, there are a number of steps to do, so lets go through them one by one. So first lets change the code in the exploit ![](/files/-Mco-F1CPiTBgBgZti34) Make sure it is the same as this ![](/files/-Mco-JCm0W2EC3DbgB0V) Make sure you add your own IP instead of mine. Now save the file and run the file. ![](/files/-Mco3emBW4S_hsay6prE) Now start a http server so that the webserver can download the shell.php file we are going to upload ![The shell.php file](/files/-Mco-ePfNmdG-mfVhU9v) ![](/files/-Mco-iHxC6ebKxYdWtHN) Now go to the link they gave when we ran the exploit. ![](/files/-Mco-q2rz8jMkTgeThWP) Once you do, you should see that some files were downloaded onto the webserver. ![](/files/-Mco-wkmmyRxwmY5_nym) Now if you go to the includes directory you should see the shell. ![](/files/-Mco09Opm55zGijlKvta) Now we can execute command by going to this URL ![](/files/-Mco0MPcxOjdFbx97uqc) The important part is the parameter, it should be cmd, and whatever command you put after the `=` symbol, that command will be executed. We can get the root flag by going to this URL ``` http://:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=type%20C:\Users\Administrator\Desktop\root.txt.txt ``` ![](/files/-Mco2HXV76BDWQithVGc) To get the answer to the first question we need to dump the hashes so that we can get the NTLM hash, to do this we need to upload a `mimikatz.exe` file which will help us with this task, so lets do that. First locate the file on your machine and copy it to your directory ![](/files/-Mco3OfX-bSO-JHHMDoM) Now we have to upload it, so lets go the exploit file and change the file that we want to upload ![](/files/-Mco3wmmwBTwidzkycET) Now lets run the exploit again go to the URL they give us. ![](/files/-Mco42t_2_CBcNisBZ4A) Once you do, you should see that the file has been downloaded ![](/files/-Mco4MlkvANG6bIhQfGS) Now go to the includes folder and you should see the file ![](/files/-Mco4W2LdjSwsIUgdznq) Now if we go to this URL and run the command that I found after researching on google , we should in theory get the NTLM Hash. The URL ``` http://:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=mimikatz "lsadump::sam" exit ``` ![](/files/-Mco5vXnaNPu3eLKRC0J) We have the hash, lets crack it using [Crackstation](https://crackstation.net/) ![](/files/-Mco69LoQrsDSY2VSDMR) This is the answer to the first question, we now completed the room. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/blueprint.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.