Blue - HackMD

###### tags: `TryHackMe OffensiveSecurity GettingStarted` # Blue :::success In this room i learned to hack into a windows machine and leverage commun misconfigurations issues ::: ## Reconnaissance using nmap :::info In this section of the room, i gather informations about the target machine using **nmap**. ::: I decided to run the command `nmap -v --script vuln` to gather maximum informations about the target. I choose this syntax to know what is this machine vulnerable too. ![](https://i.imgur.com/cLIMZU5.png) ![](https://i.imgur.com/xs2gnPv.png) Through the result i observe that : - 3 ports under 1000 are open - There is a Remote Code Execution vulnerability in Microsoft SMBv1 - The CVE associated to this vulnerability is : CVE-2017-0143 - The machine is vulnerable to ms17-010 ## Gaining Acces using Metasploit :::info In this section of the room, using a powerfull pentesting tool called **Metasploit**, i exploit the machine and gain a foothold. ::: **Metasploit**, an open-source pentesting framework, is a powerful tool utilized by security engineers around the world. Maintained by Rapid 7, Metasploit is a collection of not only thoroughly tested exploits but also auxiliary and post-exploitation tools. ![](https://i.imgur.com/ZONwFg8.png) In the picture above, i run metasploit using the `msfconsole` command. I first search the exploitation code i will run against the machine. To do it, i type the command : `search ms17-010`. Don't forget that *ms17-010* is what the machine is vulnerable to. Here is the result of the command : ![](https://i.imgur.com/KVHnHvv.png) Through this result, i find 3 checked available exploits. I chose the one whose name was the most telling regarding the vulnerability found : `exploit/windows/smb/ms17_010_eternalblue`. I then use this exploit : ![](https://i.imgur.com/gZzG3ME.png) After that i configure some elements to allow me to use the exploit against the target. First, i run the command `options` to know what elements are required to use the exploit : ![](https://i.imgur.com/WwGe5dg.png) Through this result, i notice that i have to give a value to the `RHOSTS` options. `RHOSTS` has to be the IP of the target. To do it i use the `set` command like shown in this following picture : ![](https://i.imgur.com/kcj3xTE.png) I also have to set the **payload** to use with the exploit and as i want to have a reverse windows command line i use this one : ![](https://i.imgur.com/cOLMSdH.png) :::info Starting from here, everything is ok to exploit the machine ::: To exploit the machine i have the choice to enter one of these two commands : - exploit - run We can see that we have now a DOS command line. ![](https://i.imgur.com/84KhgZN.png) ## Escalating privileges :::info In this section, i manage to convert the DOS command line to meterpreter shell in metasploit. ::: I started by searching the name of the post module i will use. Like in the begining, i use the `search` command : ![](https://i.imgur.com/BXpONx0.png) The output of this picture shows me the module to use to enable meterpreter. I then use it : ![](https://i.imgur.com/DLLiSdD.png) Like the past module, i show the options to know what is required and what i have to change. This done, i notice i have to connect my module to a `session` before running the module. I list the available sessions and set the more telling regarding what i want to do. In this case it was the session with **ID=1** : ![](https://i.imgur.com/kWUkqIz.png) :::info Starting from here, i can now run the module : ::: ![](https://i.imgur.com/v5yxpb7.png) I run the module and i notice that a `meterpreter session` is opened in **session 2**. I list again the different sessions avalaible to prove what i see : ![](https://i.imgur.com/H4m35u3.png) Indeed, there is a new session created where i will have a meterpreter shell. :::warning Let's notice that the target uses a x64/windows architecture while the meterpreter uses a x86/windows one. ::: I connect now to the meterpreter shell : ![](https://i.imgur.com/YXf09tp.png) :::success As you see, i have now the meterpreter shell and i ahave escalated to **`AUTHORITY/SYSTEM`** : ![](https://i.imgur.com/7olSo7R.png) PS : Note the use of ***CTR+Z*** to go back to meterpreter when we use ***shell*** to show the windows command line. ::: ## Cracking the Admin Password :::info In this section i will try to know what is the password of the admin. ::: Now i can use meterpreter, i want to know all the differents users and their associated passwords. To do it, i will run the `hashdump` command. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. ![](https://i.imgur.com/yL9tph8.png) After running the command, i have some issues so i decided to **migrate** the processus. This will allow me to have all the rights. Let's do it. I started by list the processus running associated to the authorithy/system and migrate one with the x64/windows architecture. ![](https://i.imgur.com/0J3C2MR.png) ![](https://i.imgur.com/LlBY9LJ.png) The migrate command is not stable so it can fail. When it occurs, change the processus ID and migrate again : `migrate PID`. After doing that, i run again the command `hashdump` : ![](https://i.imgur.com/6IWdCJU.png) Now, i have the hashed passwords. To decrypt the password of the user, i use **john the ripper** tool. Before doing it, i store the hashed password in a `.txt file`. ![](https://i.imgur.com/Vkp60hL.png) The password is "***alqfna22*** " :::success I HAVE NOW THE PRIVILEGES OF THE ADMIN OF THE MACHINE AND I KNOW HIS PASSWORD. END !!! ::: ## Capture the flag :::info This section is optional. I manage to obtain the flags hiden in the target machine ::: - The first flag is in the `C:` Directory : ![](https://i.imgur.com/xycuYg0.png) - The second flag is in the `Windows/System32/config` Directory : ![](https://i.imgur.com/hLVpML8.png) - The third flag is in the `Users/Jon/Documents` Directory : ![](https://i.imgur.com/7ZHOYN2.png)