Hello friend,
let’s check out the room Blue on TryHackMe. It’s a bit more like a CTF, but still, very beginner focused.
Task 1 – Recon
Scan the machine.
Okay, let’s use nmap for that. I usually use the -T4 flag, so it is faster, and -A for “Aggressive scan options”. This enables OS detection -O, version scanning -sV, script scanning -sC and traceroute –traceroute with just one flag. But you should use this only against networks you are allowed to scan since script scanning is considered intrusive.
This command would look like this:
nmap -A -T4 <target ip>
This scans just the 1000 most used ports though. Another useful feature of nmap is, that we can use it to scan for known vulnerabilities too. The command for that is:
nmap -sV --script vuln <target ip>
If we use this scan on the target machine, we get the following output.
You might already be familiar with MS17-010 from the Metasploit room, eternal blue, who would have thought, the room named Blue can be solved by exploiting eternal blue. But let’s continue with the tasks.
How many ports are open with a port number under 1000?
That’s 3.
What is the machine vulnerable to?
As we already figured out: MS17-010, also two CVEs regarding RDP.
Task 2 – Gain Access
Start Metasploit
Okay. (msfconsole)
Find the exploitation code we will run against the machine.
You can search for ms17-010 or eternalblue
Show options and set the one required value. What is the name of this value?
As usual, we have to set RHOSTS, our target. To be save, also check your LHOST option, it should point to your IP.
Then run the exploit with the run or exploit command.
A windows command shell should appear, which we are supposed to background with CTRL+Z.
Task 3 – Escalate
Research online how to convert a shell to a meterpreter shell in metasploit. What is the name of the post module we will use?
You can also just use the search function:
post/multi/manage/shell_to_meterpreter
Show options, what options are required to change?
This one.
Set the required option, you may need to list all of the sessions to find your target here.
If you don’t remember, use the sessions command to show all active sessions. After you run the module, you should have a second session, which you can select with the command:
sessions -i <session number>
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
You can also just use the getuid command in meterpreter.
List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
Well, in my case, my process is run by System. You can use getpid to get your current process ID and with ps you can check which process that is.
But in case something isn’t working with my current process, the svchost.exe processes usually work pretty well.
Task 4 – Cracking
Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Well, this time it just worked for me without migrating. This is interesting, it is also a powershell process, like in the Metasploit room where it didn’t work, but this time a 64 bit version. Maybe that’s the reason.
So yeah, the user is Jon.
Copy this password hash to a file and research how to crack it. What is the cracked password.
Let’s use john to crack it:
And we got the password.
Task 5 – Find flags!
So… why not just use the search command?
search -f *flag*
There they are, nice.
Now you just have to cat the files and you are done. In case you haven’t done it yet, this is your chance to root the machine yourself and get the flags.
So this was the room Blue on TryHackMe, a nice practical room, I hope you had fun.