🏠 Home BlogXGitHubπŸ“š Buy Me a BookπŸ“§ Contact
Edit

Blaster

Intro

Room Info

πŸ”— Name

Blaster

🎯 Target IP

10.10.27.22

πŸ“ˆ Difficulty level

🟒Easy

πŸ’² Subscription type

Free

πŸͺŸ OS

Windows

Recon

Discover IIS Webserver hidden directories

Navigate to

  • http://10.10.27.22/Retro/

  • http://10.10.27.22/retro/index.php/2019/12/09/ready-player-one/

πŸ“Œ Wade:parzival

🚩 Read user.txt file.

Local Recon

Check Internet Explorer history.

  • CVE-2019-1388 - Windows Privilege Escalation Through UAC

  • hhupd.exe on desktop

Privilege Escalation

  • Run hhupd.exe to exploit the privilege escalation vulnerability present in the Windows Certificate Dialog box, a bug in the UAC mechanism

    • cmd user: nt authority\system

🚩 Read root.txt file.

Exploitation

  • Run the following command on the target machine

    • copy it in a file and host the file on a Python http server

  • Open the link on the target machine

    • http://10.18.65.48:8000/payload

  • Copy the code and paste it in the opened CMD

  • Check the spawned reverse shell in Metasploit

Persistence

  • Windows Defender blocked the persistence service payload in this case

  • Add a new user instead and give it administrative privileges

PreviousEasyNextBlue

Last updated

Was this helpful?