Post

Blaster

Posted Updated
By Peter Soverns 2 min read

Overview

Blaster is a vulnerable machine from TryHackMe that requires some standard enumeration with running one exploit. The foothold is accomplished after some enumeration of the web page, and the privilege escalation is done with an exploit on a known vulnerabiltiy.

Nmap Scan

  • nmap -T4 -p- -Pn target ip
    • 3389/tcp open ms-wbt-server Microsoft Terminal Services
    • rdp-ntlm-info:
    • Target_Name: RETROWEB
    • NetBIOS_Domain_Name: RETROWEB
    • 80/tcp open http Microsoft IIS httpd 10.0

The site doesn’t have any apparent information on it.

Basic Enumeration

Nikto Scan:

  • OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
  • OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST

Fuzzing for directories:

  • wfuzz -c -t 20 -u http://<ip>/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
  • Retro appears to be an interesting directory to look into

Interesting site that has a lot of retro style games on it.

  • Looking around some more, there is a user who is making posts, Wade.
  • He left a comment on one post, something that he doesn’t want to forget, a password: parzival

While we could probably log into the word press part of the site and poke around, lets see if we can sign in with these creds.

Foothold

Port 3389 (Remote Desktop Protocol) is open, and the credentails work for us to log in this way:

  • xfreerdp /u:Wade /p:parzival /v:<ip>

We are able to login as Wade, and have access to the desktop. Checking around, it is just us and the Administrator account on this device. We are able to get the user.txt

User

Local Enumeration

Trying to bring over something like winpeas does not work for us, as Windows Defender is active, and nukes the file before we get a chance to delcare it safe. We have to do some basic checking around and information gathering.

  • Windows Server 2016, Build 14393.0, 64-bit system
  • Looking at internet explorer, it seems the last researched CVE is CVE-2019-1388.

Vulnerability

CVE-2019-1388

Privilege Escalation

You have to unblock the mark of the web so the exploit can run. The 2 times I attemtped this on different IP’s, the payload was still on the device. At first, it wouldn’t work correctly and give me the error when clicking on the certificate.

  • Getting the executable to give us the error should work as follows (also make sure internet explorer is currently not running, may cause issues):
    • Right click on it, and run as Administrator.
    • In the UAC prompt, you click the drop down for more details on the certificate.
    • Click on the certificate and exit out of the UAC prompt.
    • When internet explorer finishes attempting to load the web page, do ctrl+s.
    • This will open explorer, for a place to save the web page as a file.
    • In the search bar above, type cmd.
    • This should launch command prompt as Administrator, and if you run whoami, you should be system level at this point.

You can also watch a video on youtube here.

Now we can read root.txt:

Root

ctf, security, hacking, exploits, web application
ctf security hacking exploits web application
This post is licensed under CC BY 4.0 by the author.