Blueprint
Scanning
Nmap scan to find open ports
Detailed nmap scan
Enumeration
We will start with http as we get a lot of information from here, we will first look at Port 8080 as Port 80 is showing a 404 file/directory
not found and Port 443 is https
Port 8080: HTTP
Lets visit the site
We have the service and the version and a lot of information being displayed, lets check these directories.
/catalog
/catalog
Does not look like a well made website, well first lets search for exploits on this service on searchsploit
We have 7 exploits, the last two are the ones that are the most interesting, lets test them out.
Lets copy these exploits to our directory and look at them at detail
Lets rename the files so that we know what exploits they are
Now lets look at the Arbitrary File Upload exploit
Looking at the exploit , I highlighted the important lines , we are attacking the /admin
directory, so we need a username and a password to login so that we can authenticate ourselves, but we do not have credentials, so we cannot use this exploit until we have credentials. Lets look at the Remote Code Execution exploit
This exploit does not require any information from our side, so I think we can use this exploit, lets change the URL in the exploit to the IP of the victim machine and we also have to add port 8080 and change the version of oscommerce as ours is different.
Exploitation
Now lets save the file and run the exploit.
Looks like the exploit was successful, lets visit this URL
Oh, so system()
has been disabled, lets go change it to exec()
Before
After
Now lets run the exploit
Ok, so we do not know if the code is being executed, so lets change the contents of the exploit and add code that will download a webshell onto the webserver, there are a number of steps to do, so lets go through them one by one.
So first lets change the code in the exploit
Make sure it is the same as this
Make sure you add your own IP instead of mine. Now save the file and run the file.
Now start a http server so that the webserver can download the shell.php file we are going to upload
Now go to the link they gave when we ran the exploit.
Once you do, you should see that some files were downloaded onto the webserver.
Now if you go to the includes directory you should see the shell.
Now we can execute command by going to this URL
The important part is the parameter, it should be cmd, and whatever command you put after the =
symbol, that command will be executed.
We can get the root flag by going to this URL
To get the answer to the first question we need to dump the hashes so that we can get the NTLM hash, to do this we need to upload a mimikatz.exe
file which will help us with this task, so lets do that.
First locate the file on your machine and copy it to your directory
Now we have to upload it, so lets go the exploit file and change the file that we want to upload
Now lets run the exploit again go to the URL they give us.
Once you do, you should see that the file has been downloaded
Now go to the includes folder and you should see the file
Now if we go to this URL and run the command that I found after researching on google , we should in theory get the NTLM Hash.
The URL
We have the hash, lets crack it using Crackstation
This is the answer to the first question, we now completed the room.
Last updated