# Blueprint - Unintended

First, we run an `nmap` scan:

<figure><img src="/files/tgmBTIVMjSU13GFXexwu" alt=""><figcaption></figcaption></figure>

<details>

<summary>Full scan</summary>

```
┌─[✗]─[root@edu-virtualbox]─[/tmp]
└──╼ #nmap -A -p- 10.10.97.242
Starting Nmap 7.92 ( https://nmap.org ) at 2023-07-05 12:33 CEST
Stats: 0:20:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.27% done; ETC: 13:03 (0:10:38 remaining)
Stats: 0:27:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 89.79% done; ETC: 13:03 (0:03:08 remaining)
Nmap scan report for 10.10.97.242
Host is up (0.27s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 7.5
|_http-title: 404 - File or directory not found.
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-title: Index of /
| tls-alpn:
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| http-methods:
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
| http-methods:
|_  Potentially risky methods: TRACE
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Aggressive OS guesses: Microsoft Server 2008 R2 SP1 (95%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (93%), Microsoft Windows 8.1 (93%), Microsoft Windows 7 or 8.1 R1 (93%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 10586 - 14393 (91%), Microsoft Windows 10 1607 (91%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (91%), Microsoft Windows Server 2008 SP1 (91%), Windows Server 2012 R2 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.1:
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:47:d7:90:5c:2d (unknown)
| smb-os-discovery:
|   OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: BLUEPRINT
|   NetBIOS computer name: BLUEPRINT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-07-05T12:05:10+01:00
| smb2-time:
|   date: 2023-07-05T11:05:12
|_  start_date: 2023-07-05T10:18:16
|_clock-skew: mean: -20m13s, deviation: 34m37s, median: -14s

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   24.53 ms  10.8.0.1
2   136.93 ms 10.10.97.242

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1955.94 seconds

```

</details>

It seems there are 3 web pages open, on port 80, 443 and 8080.\
Let's see what's on port 8080:

<figure><img src="/files/xjRqBDHDOI35oL52mrei" alt=""><figcaption></figcaption></figure>

After following the link:

&#x20;

<figure><img src="/files/4J6nzblASjwl8RJRTTOG" alt=""><figcaption></figcaption></figure>

After folowing the link to `catalog/`, we find a webpage running `oscommerce 2.3.4`:

<figure><img src="/files/e04McsEzanpsadZzgl75" alt=""><figcaption></figcaption></figure>

Let's check `searchsploit` for any potential vulnerabilities.\
When looking through `searchsploit` output, you want to prioritize any `rce`, as it will give you direct access to the system.

<figure><img src="/files/zc1hIngpgmWva4cmUft1" alt=""><figcaption></figcaption></figure>

There are two `rce` exploits, so let's get the newest one and run it:

<figure><img src="/files/iYfsAcLol3Tfx1UmYFPV" alt=""><figcaption></figcaption></figure>

We have a root shell, giving us full access to the system.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eduw.gitbook.io/writeups/blueprint-unintended.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.