Scribd
Upload
176 views7 pages

TryHackMe Blue: Exploit Guide

The document summarizes Danny Ghazal's work on the Try Hack Me: Blue machine. Danny first used Nmap to identify open ports 135, 139, and 445, indicating the machine was vulnerable to MS17-010. Danny then used Metasploit to verify the vulnerability and exploit it, gaining initial access via EternalBlue. Danny then used post-exploitation techniques like migrating to the svchost process and dumping hashes to escalate privileges. Jon's password was cracked using Crackstation. Finally, Danny used search commands in Meterpreter to locate three flag files with privileges, access, and documents as their contents.

Uploaded by

api-541446689
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
176 views7 pages

TryHackMe Blue: Exploit Guide

The document summarizes Danny Ghazal's work on the Try Hack Me: Blue machine. Danny first used Nmap to identify open ports 135, 139, and 445, indicating the machine was vulnerable to MS17-010. Danny then used Metasploit to verify the vulnerability and exploit it, gaining initial access via EternalBlue. Danny then used post-exploitation techniques like migrating to the svchost process and dumping hashes to escalate privileges. Jon's password was cracked using Crackstation. Finally, Danny used search commands in Meterpreter to locate three flag files with privileges, access, and documents as their contents.

Uploaded by

api-541446689
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Danny Ghazal

12/19/20
NTS330
Professor Mike
Try Hack me: Blue

Task 1 Recon: scan the machine didn’t require an answer it just required me to type

nmap into the terminal window. Then the next question asked how many ports were

open under 1000 so I ran an nmap command (nmap 10.10.32.233 -p 1-999). 3 ports

were returned open 135 139 and 445. To check if the machine was vulnerable I did a

quick google search to see the metasploit ID for eternal blue which I assumed was the

vulnerability because the lab was called blue. The ID for it was MS17_010, so I opened

metasploit and ran these commands;

Use auxiliary/scanner/smb/smb_ms17_010

Set rhosts 10.10.32.233

Exploit

Metasploit verified that the machine was vulnerable to ms17_010 because port 445 was

open which means that SMBv1 is being used. SMBv1 is the vulnerable protocol that

allows you to use the eternal blue exploit.

Task 2 Gain Access: The first set of instructions are to open metasploit so I open it

then the instructions ask for the full path to run the eternal blue exploit. I opened

metasploit and ran this command, search path ms17_010. The search results returned

this path exploit/windows/smb/ms17_010_eternalblue. The next question asks to show

options and set a required value so I used this command, options

exploit/windows/smb/ms17_010_eternalblue and the option I figured I would need is


RHOSTS so we could specify the IP of the machine we’d be running the exploit on. I

then loaded the exploit and ran it which opened a meterpreter prompt.

TASK 3 Escalate: The next question asks to upgrade shell to meterpreter at this point I

was a little stuck because when I ran the exploit it gave me a meterpreter shell right off

the bat. So I was confused for a little then I did some google searching and found the

answer to the next question even though I didn’t really need use it. The question asked

for a path that would convert the shell to a meterpreter prompt and the command is

post/multi/manage/shell_to_meterpreter, and the required option for this is session. I set

the session and named it one 1 and then ran the exploit again. I opened the Meterpreter

prompt and typed shell to open a dos command prompt. After that I typed whoami to

confirm I was running under NT AUTHORITY\SYSTEM or admin. The next task

requires you to exit the dos command prompt and run the ps command to see the

processes that are running then select one out of the list. I chose svchost.exe and I

migrated to that process ID using the process ID number for that process (2876).

TASK 4 Cracking: The first task for cracking asks to run hashdump in the meterpreter

shell so I did and found the name of the non default user was Jon. The first thing I tried

to do at this point was background the meterpreter prompt and save the hashes so I

could run them through jack the ripper. I did this but was unable to so I decided to use

hashcat. I ran this command within hashcat; hashcat -a 0 -m 1000 jon.txt

/usr/share/wordlist/rockyou.txt --username --show. The command never worked I kept

getting errors and it never worked. So I took the hash and went to crackstation.com and

input ffb43f0de35be4d9917ac0cc8ad57f8d which is the second half of the NTLM hash.

This cracked the hash and gave me the password for Jon which was alqfna22.
TASK 5 Find Flags: To find the flags I started by opening the shell back up and just

browsing through different directories to find the flags. I couldn’t find anything so I used

the first hint which was to “use C” so I went into the C directory in the shell and I found

flag1.txt. I used more flag1.txt to view the contents for the first flag, the first flag was

access_the_machine. Before trying to find the second flag I did some research because

I felt that there would be an easier way to find flags rather than searching the entire

machine. I found that you could return to the meterpreter prompt and use this

command, search -f flag*.txt and this returned the three paths to the flag.txt files. I

navigated to each of them and found flag2 was sam_database_elevated_access and

flag3 was admin_documents_can_be_valuable.

You might also like