# Blaster ![](/files/-MeW8yOA4wzQs3kZDBR1) ## Activate Forward Scanners and Launch Proton Torpedoes Lets run nmap scans to find open ports and the services running on them ![](/files/-MeWDEVFHTquifjXfDgR) ![](/files/-MeWFzQyzItLSIAR5X7q) ![](/files/-MeWDH2rtOTRcZTtFif1) Lets check the website ![](/files/-MeWDOibfiZ9VTSuhZIp) ![](/files/-MeWDizzo9GGhBqbTkDQ) Looks like there is nothing interesting here, lets look for hidden directories and pages with gobuster ![](/files/-MeWEoxABma4vVwnUAww) ![](/files/-MeWErn9JzheZ94uuQ0F) Lets look at this directory ![](/files/-MeWEz2bI4WiWJioJeji) We have a possible username Wade. ![](/files/-MeWF3s3d4biW0HA9fzQ) Lets look at the website and see if we can find anything interesting. Looking around we come around this post ![](/files/-MeWGLiNbAClqMm6an--) After we click on it, we get to this page ![](/files/-MeWGTaBbIUpNbeuDpwZ) It looks like a password ![](/files/-MeWGY4_LH9O2tA4sUCC) Now lets try to login through Remote Desktop with the credentials we have. We can use remmina to do this. ![](/files/-MeWGsHEWpOREcm5kCmU) ![](/files/-MeWGyWsf7uQiyCfyM29) ![](/files/-MeWH3ladaFHd9zYv4fc) We are logged in, lets read the user.txt file ![](/files/-MeWHEutLYJ3AdRYnXaL) ## Breaching the Control Room Lets look for interesting information like what the user what looking at, lets go to Internet Explorer ;-; and look at the history. ![](/files/-MeWJ-kNN_t6o53dMaD0) We have the CVE number ![](/files/-MeWJBrtOysWGlKTNwoH) We need an executable that is necessary for the exploitation of this vulnerability, and we can find this on the desktop ![](/files/-MeWJwJrNlb7dOPvnDyo) ![](/files/-MeWK-D0_oCYVSSHJsQH) Lets look at this vulnerability closer and use it to get a shell on the machine First lets look at this executable by clicking it. ![](/files/-MeWKMOUyv83w2ZJr2EI) Lets go to show more details > Show information about the publisher's certificate ![](/files/-MeWK_jJ0NIl_uxpmuAy) Lets click issued by link, and close the tabs, now lets go to internet explorer and hit Ctrl + s ![](/files/-MeWLyHIvO1cw0xHpIB3) We have an error, now lets click ok and we see that the file explorer is open, lets open cmd ![](/files/-MeWMC4Dr4J4JmjuIxjT) Now lets check who we are on the system ![](/files/-MeWMI_JBJDUN-aKy3rN) ![](/files/-MeWMPDQpBCBuakblNle) Lets read the root flag ![](/files/-MeWMh9JifcYzj9z8bW2) ## Adoption into the Collective Lets follow the steps mentioned in the room First lets go to our machine and launch metasploit and select the module they provided ![](/files/-MeWNRCNdPusnv8K7hIE) ![](/files/-MeWNZYkCSw4tn3q9aeU) Now lets set the target to PSH ![](/files/-MeWNjMvFUPv3rV88Y2V) ![](/files/-MeWNmGkuJiyUpcS30o4) Lets set the options ![](/files/-MeWO4Y6nmbCJ9smn4s7) Lets set the payload the run the exploit as a job ![](/files/-MeWPW9RD3rh1J7xG-qp) ![](/files/-MeWPSkpiYqpcsFgoXwV) Lets select the command and paste it in the terminal of the machine we just exploited ![](/files/-MeWPf4ZkP-aZMXbfbhO) And we should get a meterpreter shell ![](/files/-MeWQG9RBnqqtc_NmM1w) We can get persistence with this command ![](/files/-MeWQVQfVHVtY_L9SWVc) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/blaster.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.