tryhackme Blue write-up
- Name: Blue
- Description: Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
- Room: tryhackme.com
[Task 1] Recon
Scan the machine
First we need to scan the machine to check for available ports and services
sudo nmap -sS -A <machine_ip>
Question: How many ports are open with a port number under 1000?
Question: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
“We can check the security problems of a device using scripts in Nmap, for example vuln script can identify common problems”
nmap <machine_ip> — script vuln
The machine seems to be vulnerable to the ms17–010 exploit
[Task 2] Gain Access
We know that the machine has a security problem and we can use Metasploit to exploit it
The next step is to find the appropriate exploit for the security problem (ms17–010)
Question: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
We have to select the desired exploit and set the required values
Set the Machine IP
set RHOSTS <machine_ip>
Question: Show options and set the one required value. What is the name of this value? (All caps for submission)
Run the exploit
You can see now that our exploit was executed and that we got a Windows host shell. In order to continue, we must use the Meterpreter shell to execute commands and upload files.
[Task 3] Escalate
We need to turn the shell into a meterpreter
Question: If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
List the sessions and set the session number.
set SESSION 1
Question: Select this (use MODULE_PATH). Show options, what option are we required to change?
Now if we see the sessions again, a session meterpreter has been added
We got the meterpreter shell so now we can interactive shell to the attacker from which to explore the target machine and execute code.
Use ps command to list all the process that is running in the host system.
[Task 4] Cracking
Use hashdump to dump the user credentials
Question: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Question: Copy this password hash to a file and research how to crack it. What is the cracked password?
[Task 5] Find flags!
search the flags using :
search -f flag*.txt
thank you 🌏🔥