Blueprint – Try Hack Me

Let’s kick it off with a port scan.

Nmap Scan

Checking the ports, there is an OS Commerce on port 8080. Accessing the catalog directory there is a messed up website. Time to do directory bruteforcing. I use gobuster for that task, and an “install” page pops up.

Checking that page I’m being able to install the OS Commerce. I used the following creds for the database:

Install details

Now i have to wait for the database to be imported. After DB import is done, I set the admin credentials. I chose admin:admin as user and pass.

We have access to the admin panel, now it’s the time to search for an exploit. Using searchsploit I find an Arbitrary File Upload vuln.

Searchsploit Results

Let’s see what we need in order to upload a shell.

Upload Requirements

Upon testing, I made this simple PHP file in order to be uploaded. With this, I can issue commands to the OS.

PHP File Content

Time to upload the shell!

Shell Uploaded Successfully

Let’s access it, put the “cmd” parameter, and issue a command.

Method 1

Seems we’re NT Authority (highest privileged account). To get a reverse shell I leveraged msfconsole web delivery module.

Web Delivery Options

I copied the last line and pasted it in my web shell to get it executed. You’ll have to wait a little to get it executed, but there’s gonna be a success.

Receiving the Reverse Connection

Now, by simply running hashdump you’ll dump the users hashes.