Call 1 (201) 549-9007 (US) | +91 - 836-854-5467 (WhatsApp) Email: [email protected]

TryHackME – Blue Writeup


TryHackME-Blue-Writeup

In this TryHackME - Blue Writeup we will learn how a small blip in the system can get it hacked. The purpose of this blog is to demonstrate the steps to complete the blue. In this room, deploy & hack into a windows machine, leveraging common misconfigurations issues.

TryHackME - Blue Task 1: Recon

Basically, it’s an info-gathering part in which we need to collect info about open-ports, service-running, os, and their version.

Question 1: How many ports are open with a port number under 1000?

Solution: Step 1: Open ‘nmap’ tool and scan the ip to identify the open ports under 1000.

Nmap
TryHackME - Blue Writeup

And I found 3-open ports under 1000.

Answer -- 3

Question 2: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

Solution: Step 1: Run the vuln script by using Nmap to find the vulnerability.

script by using Nmap
TryHackME - Blue Writeup
ms17-010
TryHackME - Blue Writeup

It’s Vulnerable with ‘SMBv1 server ms17-010’.

Answer -- ms17-010

TryHackME - Blue Task 2: Gain Access

This machine is vulnerable to ms17-010 Remote code execution vulnerability. Use Metasploit to exploit it.

Question 1: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)

Solution: Step 1: open Metasploit , and try to find the exploitation against ‘SMBv1 server ms17-010’. By using “search ms17-010” command.

search ms17-010” command.
TryHackME - Blue Writeup

I found this 4-exploit.

Step 2: Now I use the first exploit.

exploit/windows/smb/ms17_010_eternalblue
TryHackME - Blue Writeup

Answer -- exploit/windows/smb/ms17_010_eternalblue

Question 2: Show options and set the one required value. What is the name of this value? (All caps for submission)

Solutions: Step 1: Check options by using the “show options “ command.

command
TryHackME - Blue Writeup

Step 2: Set rhosts 10.10.140.190 (Target IP) and press enter.

Set rhosts 10.10.140.190
TryHackME - Blue Writeup

Answer -- rhosts

Now it’s time to run the exploit by using “run” command.

 “run” command.
TryHackME - Blue Writeup
Set lhost 10.10.112.79
TryHackME - Blue Writeup

NOTE: If you see a FAIL message to get the session then you need to Set lhost 10.10.112.79 (Your IP) and press enter.

msf6
TryHackME - Blue Writeup

After setting, the correct lhost and rhosts check again by using the “show options” command to confirm it. Then run again the exploit.

msf6 2
TryHackME - Blue Writeup
msf6
TryHackME - Blue Writeup

TryHackME - Blue Task 3: Escalate

After getting into the shell, background the shell by using “ctrl+z” command and

Upgrade it to meterpreter.

Question 1: If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in Metasploit. What is the name of the post-module we will use? (Exact path, similar to the exploit we previously selected)

Solution: Step 1: use the command “search shell_to”

shell to meterpreter
TryHackME - Blue Writeup

Step 2: Type command “use 0” to use it.

post/multi/manage/shell_to_meterpreter
TryHackME - Blue Writeup

Answer -- post/multi/manage/shell_to_meterpreter

Question 2: Select this (use MODULE_PATH). Show options, what option are we required to change?

Solution: Step 1: Type command “Sessions” to check all sessions I have.

Session
TryHackME - Blue Writeup

Answer --Session

TryHackME - Blue Task 4: Cracking

In this task, we try to get the hash of the user password and crack it.

Question 1: Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Solution: Step 1: Now is time to get the shell/cmd by using the “shell” command.

meterpreter shell
TryHackME - Blue Writeup

Step 2: Now get the hash by using “hashdump” command.

hashdump
TryHackME - Blue Writeup

The non-default user is only Jon.

Answer -- jon

Question 2: Copy this password hash to a file and research how to crack it. What is the cracked password?

Solution: Step 1: Now I save jon password hash in a file (jon.txt) and after that rename the file with jon.hash format to decode the hash and get the original password.

Step 2: Decode the hash by using the “john tool” and “rockyou.txt” wordlist.

john tool
TryHackME - Blue Writeup

Answer -- alqfna22

TryHackME - Blue Task 5: Find flags!

When you get the shell successfully then you need to find the flag that is hidden in different directories of the target machine.

Question 1: Flag1? This flag can be found at the system root.

Solution: Step 1: Check hint and go on ‘c’ drive.

TryHackME - Blue Writeup
TryHackME - Blue Writeup

Step 2: Check directories by using the “dir” command. Then I see the flag1.txt file.

flag1.txt file .
TryHackME - Blue Writeup

Step 3: Read the flag1.txt file by using the “cat” command.

 “cat” command
TryHackME - Blue Writeup

Flag 1: -- flag{access_the_machine}

Question 2: Flag2? This flag can be found at the location where passwords are stored within Windows.

Solution: Step 1: Check the hint and go to the ‘windows’ folder.

Step 2: Then go to the system32 folder by using the “cd system32” command.

Step 3: Then go to the config file.

Check the directory then you see flag2.txt.

Flag 2: -- flag {sam_database_elevated_access}

Related Blog:
How to Get Started with Try Hack Me
TryHackMe – Windows Investigating CTF

Question 3: flag3: This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

Solution :

Type command : Search -f flag*.txt .

After that you see the flag3.txt file, Then read it.

Flag 3: -- flag{admin_documents_can_be_valuable}

Finally done….

TryHackME - Blue Writeup
TryHackME - Blue Writeup

NOTE: The eternal blue vulnerability was very famous and many systems were comprised using this vulnerability. Microsoft released a fix to patch up these vulnerabilities for different operating systems.

Author:

Abhishek Sharma.
Cybersecurity Intern.

Comments

Leave a Reply

Your email address will not be published.

Open chat
Hello 👋
Can we help you?
  • Contact Us

    Contact Us