Blaster Room -- Try Hack Me

We will now do the sequel to the Ice Room. This room shows other ways to exploit the vulnerability without the use of Metasploit.

Activate Forward Scanners and Launch Proton Torpedoes

To start, we will perform basic enumeration of the services running on the target machine that we have been provided.

Above, I did an Nmap scan to see the open ports, the result of the scan showing that there are 2, one for HTTP, and the other for the mx-wbt-server.

When we go to the web page, we see that there is a web server running:

Now, we will try to find other directories. We will use the tool gobuster to do so, checking against the common.txt word list.

No words came back, so we will try with other word lists.

When we use big.txt, we see that we get back the directory called retro:

We will now add that directory to the URL. This is the page we get:

On this page, we instantly see a potential username: Wade.

When we scroll through the comments to the post, we see a post made by Wade, where he discloses information about his password, saying that when he logs in, he keeps on misspelling the name of the main character’s avatar, which means that that is his password:

After doing a quick search, I discovered the avatar’s name is parzival, which is presumably Wade’s password.

With this new information, we will now log into the machine via MSRDP (Microsoft remote desktop) using a tool called remmina.

I typed in the following command to start remmina:

I filled in Wade’s username and password (parzival) that we have previously found above.

We now have access to Wade’s Desktop:

We will open up user.txt to get the code:

Breaching the Control Room

Now that we have gained access, we will try to get elevated privileges.

The instructions say to look in browser history for an exploit searched, but it seems that the browser history is cleared (after research, this is a known issue). TryHackMe therefore provides the answer in the hint: CVE-2019-1388.

After researching this exploit, we find that this is an exploit based on a “Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability”, where user privileges are not properly enforced, according to NIST’s website (https://nvd.nist.gov/vuln/detail/CVE-2019-1388).

Back to the remote desktop, we see on the home page that there is an executable called “hhupd” that requires administrative privileges. We will try to get elevated privileges by using the exploit above.

On Github, we see the steps you could take to use this exploit to get escalated privileges:

https://github.com/nobodyatall648/CVE-2019-1388

Steps we will follow:

1. find a program that can trigger the UAC prompt screen:

   • We will use the executable on the screen, hhupd.

2. Select “Show more details”:

3. Select "Show information about the publisher's certificate":

4. Click on the "Issued by" URL link, which will prompt a browser interface.

5. This opened up a browser (had to exit the current screen to see it below). When the browser was open, I did Ctrl + S, which opened up file explorer.

6. On the explorer window address path, I entered the cmd.exe full path: C:\WINDOWS\system32\cmd.exe

This opened up a shell:

“whoami” gives back the following answer, which confirms that we have escalated privileges:

We will “cd” into the Administrator’s Desktop directory and after typing “dir”, we see the root.txt file. To read contents, we type “type root.txt” to get the THM code.

Adoption into the Collective

We will now use a different method to gain administrative privileges, based on our findings that the server uses Windows Defender.

We will start metasploit (msfconsole) and then use the following exploit:

We will run the following command to find the target number of Powershell, which we see is 2. The reason we want this is because this is a Windows machine, so Powershell is the appropriate option.

We will set the target to 2:

We will set LPORT to 80 and LHOST to our local machine’s IP.

We will set our payload and run it:

I pasted it into the victim’s cmd and then returned to my machine. It says that as a result, Meterpreter session 1 opened.

Last but certainly not least, let's look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots?

run persistence -X