Blaster TryHackMe (CVE-2019–1388)

6 min readApr 27, 2020

Hello guys back again with another walkthrough this time we are going to be doing blaster from TryHackMe a relatively easy windows box that starts off by finding a wordpress directory that has credentials which enables you to log into the box using remote desktop protocol commonly known as (RDP). After logging into the box you find that it is vulnerable to CVE-2019–1388 that basicaly let’s you obtain root in the box. Without much say let’s jump in

We start off with a nmap scan of the box. This will give us a pretty Good idea of what ports are open on the box and the services that they are running

And we get 2 ports are open http running Microsoft IIS httpd 10.0 and

ms-wbt-server which typically is a RDP service

Since we dont have credentials to log into the box using RDP i started enumerating the web server. On opening the webpage we get the stardard IIS webpage

Since there is nothing interesting i decided to run a gobuster and after about 2 minutes i got another directory /retro

I navigated to that directory and found a webpage named retro fanatics and it looked like it was made by a content management system (CMS)

I used a tool that is preinstalled in Parrot Sec OS called whatweb to fingerprint the web application . WhatWeb basically identifies websites. It recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 900 plugins, each to recognise something different. It also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

And we get the website is running wordpress my next logical move is to run wpscan which is a Black box WordPress vulnerability scanner and we get a possible username

I decided to pork around the posts and we get something interesting something that seemed like a credential

I used those credentials to try and log into the website and voila we have a shell on the box

I didn’t go down this path because we had RDP from our nmap scan

I decided to try and log into the box using Remote Desktop Protocal using an Application called Remmina that comes preinstalled in Parrot Sec OS. Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travellers, who need to work with lots of remote computers in front of either large monitors or tiny netbooks.

And finaly we are able to log into the box using rdp

Now we can submit our user.txt flag

Now it’s time for priviledge escalation. I always use winpeas.exe to search for priviledge escalation vectors in windows box and it has worked pretty get for me

First we have to upload winpeas to the box using powershell. For this to work we need to first create a server that will host the executable. In my case am using SimpleHTTPServer

And use powershell in the box to download the file

Now it’s time to execute the file using CMD which is a commandline utility

The script finished in let than 5 Seconds and first i decided to look at the vulnerablilities that it found

The one that stood out to me was CVE-2019–1388

Which typically is An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka ‘Windows Certificate Dialog Elevation of Privilege Vulnerability’. This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to access an interactive desktop as a low-privileged user on the target system in order to exploit this vulnerability.

The specific flaw exists within the User Account Control (UAC) user interface shown on the secure desktop. By interacting with the user interface, an attacker can launch a highly-privileged web browser on the normal desktop. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. But for this to work we need an application. I decided to look around and in the recycle bin i found an executable