Blaster -TryHackMe Writeup

Posted byWaqas AhmedPosted inBlaster THM, Ethical Hacking & Penetration Testing, TryHackMeTags:, , , ,

Introduction:

The purpose of this writeup is to document the steps I took to complete Tryhackme.com (THM)’s room Blaster hacking tasks.

Resources/Tools Used:

  • nmap
  • gobuster
  • Metasploit Framework

[Task 1] Mission Start!

This task was mainly concerned with connectivity to THM and target machine.

#1 No answer needed. This subtask requires you to deploy the machine.

[Task 2] Activate Forward Scanners and Launch Proton Torpedoes

This task was mainly concerned with performing some basic enumeration of the services running on target machine.

#1 There were only 2 ports open on target machine.

nmap quick scan

#2 “IIS Windows Server” was the title of the webpage.

Webpage
Page source

#3 Discovered directory was “/retro”.

Discovered directory

#4 Username identified was “Wade”.

Username

#5 Upon clicking the post “Ready Player One”, password was stored as a comment.

Post that failed login
USer password

#6 User flag found by logging in using remote desktop client with credentials identified in previous steps.

xfreerdp client
User flag

[Task 3] Breaching the Control Room

This task was mainly concerned with privilege escalation and gaining access to system.

#1 Viewing the browsing history identified CVE-2019-1388 as the CVE researched on the system.

Browsing history

#2 hhupd is the executable required for exploiting CVE-2019-1388. This executable can be identified either by googling the CVE or by viewing file in the recycle bin.

Googling CVE-2019-1388
Recycle bin

#3 No answer needed. First we check our current user authority.

Current user authority

Copy the “hhupd.exe” file from recycle bin to desktop.

Copy hhupd.exe from recycle bin

Right click “hhupd.exe” and click “Run as Administrator”.

Administrator password required

As we don’t have the Administrator password, we click “Show information about the publisher’s certificate”.

Certificate information

Click the “VeriSign Commercial Software Publishers CA”. This opened a browser window.

VeriSign Page

 Click “File -> Save As” option.

Save as

Goto “C:\Windows\System32”. In the filename type *.* and press enter. Look for the “Cmd.exe”.

cmd.xex

Right click “cmd.exe” and select “Run as administrator” option and we have a shell with Administrator privileges as the browser was running with this authority.

System authority

#4 nt authority\system.

System authority

#5 Root flag was found by reading contents of file C:\Users\Administrator\Desktop\root.txt.txt.

Root flag

[Task 4] Adoption into the Collective

This task is mainly concerned with gaining remote shell access and persistence..

#1 No answer needed. This subtask requires you to select exploit module by issuing command “use exploit/multi/script/web_delivery”.

#2 Target number for PSH was 2 identified by using command “show targets”.

Target

#3 No answer needed.

Set LHOST and LPORT

#4 No answer needed. This subtask requires us to use reverse http payload using the command “set payload windows/meterpreter/reverse_http”, run “python -m SimpleHTTPServer” in a separate terminal and then running the exploit.

MSF payload options
Exploit executed

#5 No answer needed. After successful execution of exploit copy the PowerShell command output and paste it in terminal (with nt authority\system spawned in task 3 subtask 3) on target machine. This will give us a meterpreter shell on target machine.

Powershell commmand
Meterpreter shell

#6 run persistence –X.

Persistence command option

#7 No answer needed.

Persistence command execution

I hope this post was helpful. Thanks.

Leave a comment

Design a site like this with WordPress.com
Get started