Blueprint

https://tryhackme.com/room/blueprint

NTLM Hash

Let's start as usual with an nmap scan

A more detailed scan:

By the name of the room we could think it's about a Eternal Blue vuln, let's see if the machine is patched.

Shame. It's patched, let's check the smb folders.

We only have read permissions on the Users folders. Let's take a look.

Apparently nothing interesting, let's download the files just in case.

Let's move to the port 80 to see if we find anything interesting.

Nothing so far. What if we use dirsearch and see if there's something hidden?

Nope. Let's move to port 8080.

There's an oscommerce folder. We can try to look up the specific version and see if there's a known exploit for that one.

Let's take a look at the 44374.py exploit and see if it works.

It looks like it can work. We can try to modify the payload to make the victim machine download a reverse shell so we can gain access to it. Don't forget to modify the urls.

Now we have to start a python http server and run the exploit.

Open the link to execute the code.

Check the /include/ folder.

It worked. Our reverse shell was uploaded. Now we only have to start a netcat listener and click on the file.

We're in. Let's check who we are.

We're already root so we don't have to privesc. Having system privileges we can download mimikatz and dump de hashes.

Nice. We got the hash. Now we can copy it and crack it. We can use hashcat, john or an online tool like https://crackstation.net/

Root Flag

To get the root flag we just have to go to the Desktop folder of the Admin user.