Skip to content

Latest commit

 

History

History
119 lines (68 loc) · 3.11 KB

Blue.md

File metadata and controls

119 lines (68 loc) · 3.11 KB

Room: Blue

URL: https://tryhackme.com/r/room/blue

Type: Windows, RCE, SMB, MS17-010 (EternalBlue)

Overview Blue is an easy difficulty CTF challenge on TryHackMe. The answer is literally right there in it's name, BLUE a.k.a EternalBlue. EternalBlue is a very popular exploit allows attacker to run arbitrary code on remote machine targetting SMB service running on port 445. When exploited, EternalBlue gives command shell that can be converted into meterpreter shell.

Reconnaissance

  • Remember this machine doesn't reply icmp echos, so ping is useless.

  • Running Nmap scan

I used the following Nmap command to perform an initial scan on the target machine, we found out that port 135, 139, 445 is open:

nmap ip-add
We conclude:
1. It's a windows machine.
2. SMB is running.

So let's confirm shall we?

Nmap Scan Output 1

Followed by a service version detection (-sV) and runnig default script (-sC) on the target machine. In the scan, we found that indeed smb is running. Also 3389 is open, so rdp (leaks out so interesting info)

nmap -Pn -sC -sV ip-add

Nmap Scan Output 2_1

Nmap Scan Output 2_2

Now, we need to find if the smb version running is vunerable to EternalBlue. For that, I run an nmap script smb-vuln-ms17-010 on port 445.

nmap -Pn -p445 --script smb-vuln-ms17-010

Initial recon complete!

Nmap Scan Output 3

Exploitation

  • Exploiting ms17-010, we are goinng to use metasploit for this.

    Open metasploit.

    msfconsole

    Seach for ms17-010 and use explit ms17_010_eternalblue.

    search ms17-010
use 0

msfconsole

This exploit tragets memory of target machine and works on quite low level. So, due to nature of this exploit, executing this can result in system crashes. Example shown below.

systemcrash

Successfully running exploit, you will get command shell, we need to convert it to a meterpreter shell.

smb_1

  • Command shell to meterpreter shell.

    Obtaining a meterpreter shell involves steps. Refer link

meterpreter

  • Getting user hash and cracking password (optional, you can skip this step)

    Use hashdump to perform credential dump.

hashdump

  • To crack the password, use john or hashcat. I'm using hashcat.

    hashcat -m 1000 -a 0 hash_file passwd_list

    remember to store hash into a text file and download rockyou.txt

hashcat_1

hashcat_2

  • Acquiring flags

    To find flags, use meterpreter shell that we acquired.

search -f flag1.txt
cat filenmae

flag3

There you have it!!!!