Blueprint

Scanning

Nmap scan to find open ports

Detailed nmap scan

Enumeration

We will start with http as we get a lot of information from here, we will first look at Port 8080 as Port 80 is showing a 404 file/directory not found and Port 443 is https

Port 8080: HTTP

Lets visit the site

We have the service and the version and a lot of information being displayed, lets check these directories.

/catalog

Does not look like a well made website, well first lets search for exploits on this service on searchsploit

We have 7 exploits, the last two are the ones that are the most interesting, lets test them out.

Lets copy these exploits to our directory and look at them at detail

Lets rename the files so that we know what exploits they are

Now lets look at the Arbitrary File Upload exploit

Looking at the exploit , I highlighted the important lines , we are attacking the /admin directory, so we need a username and a password to login so that we can authenticate ourselves, but we do not have credentials, so we cannot use this exploit until we have credentials. Lets look at the Remote Code Execution exploit

This exploit does not require any information from our side, so I think we can use this exploit, lets change the URL in the exploit to the IP of the victim machine and we also have to add port 8080 and change the version of oscommerce as ours is different.

Exploitation

Now lets save the file and run the exploit.

Looks like the exploit was successful, lets visit this URL

Oh, so system() has been disabled, lets go change it to exec()

Before

After

Now lets run the exploit

Ok, so we do not know if the code is being executed, so lets change the contents of the exploit and add code that will download a webshell onto the webserver, there are a number of steps to do, so lets go through them one by one.

So first lets change the code in the exploit

Make sure it is the same as this

Make sure you add your own IP instead of mine. Now save the file and run the file.

Now start a http server so that the webserver can download the shell.php file we are going to upload

Now go to the link they gave when we ran the exploit.

Once you do, you should see that some files were downloaded onto the webserver.

Now if you go to the includes directory you should see the shell.

Now we can execute command by going to this URL

The important part is the parameter, it should be cmd, and whatever command you put after the = symbol, that command will be executed.

We can get the root flag by going to this URL

http://<Machine IP>:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=type%20C:\Users\Administrator\Desktop\root.txt.txt

To get the answer to the first question we need to dump the hashes so that we can get the NTLM hash, to do this we need to upload a mimikatz.exe file which will help us with this task, so lets do that.

First locate the file on your machine and copy it to your directory

Now we have to upload it, so lets go the exploit file and change the file that we want to upload

Now lets run the exploit again go to the URL they give us.

Once you do, you should see that the file has been downloaded

Now go to the includes folder and you should see the file

Now if we go to this URL and run the command that I found after researching on google , we should in theory get the NTLM Hash.

The URL

http://<Machine IP>:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=mimikatz "lsadump::sam" exit

We have the hash, lets crack it using Crackstation

This is the answer to the first question, we now completed the room.

Last updated