Blue
https://tryhackme.com/room/blue
Welcome to my first writeup! Today we're going to cover the steps I followed in order to complete the Blue room! Let's start:
Reconnaissance
After booting up the machine, I executed the following code in the terminal:
nmap -sS -p- -T4 -v -A 10.10.184.144It will perform a scan of the target machines, providing us useful information such as open ports, running services and OS version.
Nmap is super useful. There are different commands that you can use, so I suggest you to do a quick research on the types of scans you can do.
Here is the output:
As you can see port 139 and 445 are opened, so the SMB protocol is running with version Windows 7 Professional 7601 Service Pack 1. The SMB is responsible for the communication among computers and services on the same network. Maybe this is interesting.
Let's google this version of smb:
Opening this page, we discover that the machine is vulnerable to what is called MS17-010 EternalBlue exploit.
Exploitation
Open the terminal and then the msfconsole by entering the following command:
> msfconsoleAnd then search for the MS17-010 exploit:
> search ms17-010Here we have a list of exploits we can use:
By entering "use 0" it will open the ms17-010 exploit page. Here we have to set the target ip and port, and the listening ip and port. THM suggests to change the payload, but if we use the default one (windows/meterpreter/reverse_tcp) we will save much time.
Now we can run the exploit:
> exploit
A new meterpreter session is now created. By entering help we can see all the commands we can enter. Type shell in order to interact with the machine using the Windows shell:
Nice work! Now we have access to machine. If we type whoami we get NT AUTHORITY \ SYSTEM which is the highest user on a Windows system. If we followed the THM suggestion to change payload, we would have to deal with privilege escalation.
Now it's time to look for flags.
Flag access
Resources
Last updated
Was this helpful?