CTF Walkthroughs, TryHackMe

TryHackMe – Blue Walkthrough

Introduction

I really enjoyed this box, even though the initial exploitation phase isn’t something new as it exploits the EternalBlue vulnerability, but it then shows how to convert a normal shell to a Meterpreter shell, how to migrate to a SYSTEM level process and how to dump and crack user hashes.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

The only ports that can be enumerated at the moment are 139 (SMB) and potentially 135 (RPC), as all other ports are used for MSRPC.

SMB Enumeration

The next step was to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service.

nmap -p 139,445 -Pn –script smb-enum* 10.10.89.39

I then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.

The scripts found that the host is vulnerable to the MS17-010 Eternal Blue vulnerability.

Exploiting EternalBlue

I have previously exploited this vulnerability manually, using both scripts from Exploit DB and scripts found on GitHub, so this time I will simply use the ms17_010_eternalblue Metasploit module.

Starting MSFconsole and searching for ms17-010:

Selecting the exploit and displaying available options:

Setting the following module options and running the exploit:

  • RHOST to specify the target host IP address
  • payload to specify the payload type, in this case the Windows reverse TCP shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

This grants remote access as SYSTEM.

Privilege Escalation

In this section we will migrate from a unprivileged user process to a SYSTEM process through the Meterpreter migrate utility.

First of all we need to obtain a Meterpreter shell. Backgrounding the shell:

Searching for the shell_to_meterpreter module:

Looking at the available options, all we have to set is the session number and the same options as earlier. Listing sessions with sessions -l, setting the options and running the module:

Interacting with the shell to confirm the session is alive:

Confirming the current user is SYSTEM:

Even though the current user is SYSTEM, the process used for the shell isn’t run by system. Listing running processes to find a suitable process:

Since Powershell is running as system, migrating to process ID 1788:

Cracking User Hashes

Using hashdump to dump user hashes from the SAM database:

Adding hashes to a text file, so that this can be used later on for cracking:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –format to specify the hash type, in this case NTLM
  • –wordlist to specify the wordlist to be used, in this case rockyou
  • the text file containing the hashes, one per line

John was able to find the password for the Jon user on the machine

Find the Flags

In this section all we have to do is find the three flags that have been placed in this machine.

The first flag can be found in the system’s root directory:

When listing files recursively in Jon’s home directory, the second flag is found:

This allows to find three .lnk files, which reveal the location of the flags:

Reading the second and third flag

Conclusion

This is a great box for beginners, as it walks you through the various steps of the process but still expects you to do your part and it doesn’t hold your hand excessively. This is perfect for someone approaching penetration testing and wanting to learn the basics of Metasploit.