TryHackMe Blue - Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video in this video we're going to be taking a look at blue from try hack me so this is a simple it looks like a windows box uh very similar to the one we might have taken a look at a few days ago on hack the box uh but a lot of you have been actually requesting me to go through uh try hack me primarily because they they really cover or promote the use of a methodology as you can see it sorts every stage based on tasks and it's a great way of actually instilling that especially for beginners so again they start off with recon gaining access escalating cracking and then finding flags so i'll you know just to just to see some basic information regarding this box um so it says scan and learn what exploit this machine is vulnerable to please note that this machine does not respond to pings so that means we have to we can perform a don't ping scan and uh it may take a few minutes to boot up so i've already booted it up this room is not meant to be boot to root or a ctf it's an educational series for complete beginners uh right so the reason i'm covering this is to get started with the methodology as i said i'll pretty much i think i'm going to be subscribing to their service because they have some cool rooms that i want to be getting into so getting started with recon you can see the first uh thing i've answered the two first questions just to see if that was working um so the first two questions are in regards to scanning it which i've already done the ip address has changed because i uh rebooted the machine or the particular box um so my nmap scan is here and i'll just give it out to you right over here as you can see the ip changed and i pretty much just did this a few minutes ago so my scan is quite comprehensive it's a synth scan and we're of course specifying the don't ping option an aggressive scan on all ports and we're outing we are putting this to nmap.txt so in regards to ports that are um we actually go back to the questionnaire so it says how many ports are open with the port number under 1000 um if we actually go back into our terminal here you can see pretty much only three ports right over here so that was fairly easy to answer right so it's going to ask us for the third question on the recon what is this machine vulnerable to so let's take a look at the nmap scan all right so the nmap scan reveals that this is a windows box and right from the smb port we can tell this is windows 7 professional build 7601 and it's running on service pack one and it doesn't give us anything else regarding the architecture but we see we have some microsoft rpc ports running for the smb or for the default script scan you can see it displays the uh the version the smb version here which is in this case going to be it has smb version one and smb version two and um again we don't get any more information regarding the architecture of the operating system and when i'm talking about the architecture i'm referring to the uh whether it is a 32-bit or 64-bit right so whenever we're dealing with windows boxes uh specifically windows uh windows operating systems below windows 10 that have the smb port running and in this case it pretty much tells us that we might be having an issue with uh the smb security here so what we can do is we can load up our nmap scripts here and again as i said if you want to list out unmapped scripts really really easily you can open up the nmr scripts directory and you can then grip and look for exactly what you're looking for in terms of the scripts or that or the port that you're targeting in our case we're targeting smb because most of the windows exploits or vulnerabilities primarily lie with smb and in this case you can see it's going to ask us for the actual vulnerability code here so if we take a look at this here we can we can pretty much use any of these scripts we can use the smb os discovery if we wanted to discover more about the operating system in question i also want to run the eternal blue the eternal blue vulnerability checker which is provided by this script here which has the vulnerability code again if you want to learn more about these vulnerabilities you can actually just google them really really simply here and again it gives you more information about them this in this case is referring to eternal blue so to get started with that we'll say sudo nmap um ss pn so that is a syn scan don't ping we want to target the smb port and we're then going to let me just copy the ip here that's the ip there and we'll put in the ip and we want to specify the script and we'll just copy the script name right over here and uh yeah we can also run one more script if you want to but for now i'm just gonna hit enter primarily because i don't know waste time within this stage here um so there we are it performs the scan really really quickly tells us that it is vulnerable to the eternal blue uh vulnerability or this particular exploit that is and it says it's vulnerable to remote code execution on smb version 1 servers so that pretty much means it's going to work it gives us the cve code here which you can take a look at the references for more information so what we can do now is we can just copy the uh we'll just copy that there it's going to ask us for the what the active machine is vulnerable to if we submit that uh let's see if we get it right there we are the answer is correct so we now move on to gaining access it's going to say exploit the machine and gain a foothold the first thing is to start medisplate so we're just going to do that we'll just say that is complete because that's just really a step here so msf console and uh we'll just wait for that to load up and let's take a look at the new the next question so it's going to ask us for the exploitation code that will run now i just now met exploit has an eternal blue exploit so we just need to search for that so eternal um eternal blue and we'll use the one that works on windows 7 and we'll just hit um use and paste that in there and we'll paste this right over here let's see if that is correct uh that is correct all right so now it says the show options and set the one required value what is the name of this value so let's show the options like so just enlarge that and the only option that we need to change in regards to this particular module is going to be the our hosts option which is our ip so our hosts or rather the target ip uh my mistake so we'll just copy that one more time and uh we'll put that in here and hit enter so we want to just type that in so our hosts submit uh the next stage is in regards to running the exploit okay so before we do that we we can actually specify the payload that we want to use now in this particular one it looks like the default payload as per this particular module is set to a regular command shell as opposed to a meterpreter session which again i'll follow through and i'll take you guys through it as well uh but what i can do is i'll just use the default interpreter shell we'll start off by using the 64-bit version just to see if this if that is our target architecture uh in this case you can see that it works on 64-bit so that pretty much means our target is a 64-bit machine right so i need to set the l-host and that is one provided to me by the vpn which i'll just copy here that is the try hack me vpn so that is my ip address so set lhost and we'll paste that in there and we can then hit run so we're going to run the exploit now this is the general blue exploit so it's going to send the it's going to send the buffer and it's going to wait for this it's going to wait for a few seconds or up to a minute for a response back so that we're sending the smb version to buffers and in the meantime let's take a look at what we can hit as complete so there we are that is complete and then confirm that the exploit runs correctly you may have to enter for a door shell to appear background this shell using control uh plus z so that's a quick keyboard shortcut if you wanna background your session if this failed you may have to reboot the target vm which i think is fine because we should get a interpreter session so we'll just wait for this to give us the session all right so we can move on to the next stage or the next task and this is in regards to escalating privileges all right so this covers how to upgrade shells right how to upgrade shells in metasploit so what we'll do is uh we will see if we've got them at an interpreter session we still don't have one yet so it looks like it's sent it again uh it sent the buffers one more time so we'll wait for this if this doesn't work then we'll pretty much have to use the command shell because i guess i'm guessing that they've structured it that way all right so the next question has to do with uh what options require uh are required to be changed in regards to the uh to the module used to upgrade shells into meterpreter shells okay so that should be fairly simple and set the required option run and then once the meter partition is uh the shell conversion complete set the session and then verify that we've escalated to nt authority okay cool cool so this is sending one more time looks like we've failed quite a few times again it should work but if it doesn't i'll just have to change the payload that's being used all right so i finally got the material session i had to restart the box plus primarily why the ip is changed because again i wasn't able to get a successful uh i wasn't able to successfully exploit the vulnerability and get a meterpreter session but as i said i'm guessing um through the uh or by how this particular box was structured uh they made the assumption that you'd pretty much get a command shell so i'll just take you through how to upgrade uh your shell to a meterpreter shell so to do this what you want to do and again you can background your session really easily by using ctrl z it's going to then ask you whether you want to background it i'm going to hit yes if you then want to list out your sessions just type in sessions and that will list them out for you in my case you can see given that i already have a you know 64-bit meter per shell and anti-authority a lot of the work has already be done uh however i'll just take you through it so the module we're looking for is going to be search for a shell um shell to meterpreter i believe so if we search for that you can see this is a post exploit exploitation module so we can just copy that and use that here we take a look at the questions or the tasks so it's going to say if you haven't already background the previously gained shell research online how to convert a shell to a meteor potential metasploit and this is the module here that's my guess i would assume this is the only one i know and that is the only one there we are so select this module use the module path and show options what options are we required to change so i'll just submit that oh yeah we actually need to submit that right now so show options the only option we need to specify is going to be the lhost and the session right so again we don't need to specify the yellows but it's always good uh it's always good to do that because the this is a post exploitation module so the only option we need to change is going to be the session so i'll hit submit there we are so that's correct so set the required option so we can do that now so install my sessions one more time so we say set session to session one uh what's next and we're gonna hit yes run all right so we're gonna hit run now i'm guessing this is going to fail i'm not entirely sure it's going to work primarily because we already have one uh yeah so that failed uh because it could not find the file uh specified in any case that's how to upgrade a regular shell or a command shell into interpreter show okay so we can now go back into home interpreter session so sessions one that'll switch me back in here and we can then hit complete here and that is also done so verify that we've escalated to nt authority you can easily do this using material by typing in sysinfo hit enter you can see uh yeah that doesn't display that so if we get into a shell and we type in who am i hit enter you can see we are nt authority so i'm going to hit yes we are as you can see it actually displays that for you so list all the processors running using the ps command and just because we are in a system doesn't mean our process doesn't mean our process is find a process towards the bottom of this list that is running at nt authority and write down the process id okay so what i'll do is i'll go back into the interpreter session here we'll list all the processes and it says look for one at the bottom uh nt authority or towards the bottom sorry so list list all of the processes running via the ps command just because your system etc find the process towards the bottom of the list that is running in nt authority and get the process id all right so this is the one here that the process id is 25.96 it's listed in this column here so 25 96 um write down the process no answer needed there will it complete migrate to this process so we can migrate so migrate 2596 and hit enter i'm not sure that'll migrate successfully there we are access is denied but we already we can actually move to this one or the svc host which is ideal so migrate 2488 hit enter i'm sure this is telling us that that doesn't work again access denied um if we get who am i sorry uh into a shell session here who am i we already have empty authority so we can hit complete there it's going to migrate here because we already have a stable meterpreter session all right so now we're in password cracking pretty much the final stage here it's always important to see if you can crack any of the user passwords now this is windows 7 so it's going to be ntlm so we can pretty much crack this with john the ripper the first thing however that we need to do is dump the passwords as i've already covered in my previous video where i talked about windows enumeration local enumeration that is i mentioned how to uh how to dump passwords there are multiple modules that you can use however with the meterpreter session you can simply type in hash dump and hit enter and it gives us the various hashes for the users on the system so we can copy these and what i'm going to do now is i'm just going to say we'll use vim we'll create a file called hashes.txt and we'll insert these in here and we'll save this all right now when we talk about cracking passwords with john which again we've already made a video on uh however we haven't covered ntlm cracking so i'm going to show you how to do that right now so it's going to say with within our elevated material shell run the command hash dump and damp all the password hashes uh so what is the name of the none default user i'm guessing that's going to be john right if i'm not wrong that is john so john hit submit um yeah that's correct okay so copy the password hashtag file and research how to crack it so in this case it's telling us only to crack the user password or the user hash for the user john so we'll just get rid of the administrator and the guest account sorry and we'll write those changes and let's just take a look at the other ones so this is for the flags all right so let's get to cracking so we'll go back into the terminal before i get started i just want to make sure i have the word list so user share word lists by default we have a rock queue so what i'm gonna do is we'll say um gzip and we're gonna decompress user sham word lists we can actually just use star so we say tar well that is just as gzip file so gzip so user share word lists and we'll say rock you hit enter give it root privileges here because we now using the default kali user which is always a pain in neck okay so in cracking we want to say sudo john and we then need to specify the format in this case the format is going to be nt uh primarily because landman is is not there but it is included or it is combined with the nt hash so format is going to be nt and then we specify the word list so uh word list is going to be equal to user share word lists and we're going to look for rock u dot txt and we then need to provide the hashes or the file containing the hashes hit enter and it's going to begin the cracking process and it gives us the password here it's alqfna 22 so we'll copy that and um let's put in here hopefully that's the correct password and that is correct so we'll get rid of that and we can now move on to finding the flags so find three flags planted on this machine that's weird i thought they said this isn't a cap to the flag anyway that's just uh splitting hairs there so finding flags um so flag 1 flag 2 and flag 3 flag 1 um only submit the flag content okay um errata so windows really doesn't like the location of this flag this is flag do and may occasionally delete it so it may be necessary in some cases to terminate or restart the machine okay and then flag three right so what we'll do is we'll go back into our session here and we're gonna go back to the root of the c drive if i list all the files here uh we we have flag one immediately so that's stored in the root of the c drive so cat uh flag one sorry that is flag one get that uh out access the machine flag is access the machine only submit the flag contents that's weird so the flag is access the machine okay so we'll just copy that that's a weird flag i was expecting some sort of base64 type code uh right so that is correct and we then need to look for flag 2 so let's try and see if we can find it within one of the users directory um so flag 2 we have the user john so we'll check there before the administrator um which doesn't actually have a user account uh the user data segregation so within here we can see that we have nothing here so we'll check the desktop that doesn't display anything let's just check the documents um it said that the second flag would be kind of difficult to find because windows automatic automatically deletes it so that's going to be under the windows directory so let's just check documents here and we got flag 3. all right so we have flag 3 instead of flag 2 which is fine so flag 3 and admin documents can be valuable that is correct a lot of admins store their documents within the documents directory that's just a guess i don't know i'm pretty sure they don't do that but anyway so for flag 2 i don't know exactly where this might be so again i'll just go into the root of the c drive and we'll say locate file flag 2 dot and i'm guessing this is going to take a while uh sorry not locate uh search we want to search for this what am i doing we're not on linux here so meterpreter is an inbuilt feature that allows you to search for files or directories and specify the file name or the file extensions and you can use the wild the wildcard option to look for all txt files for example so i'm guessing this is going to take a while so i'm just going to wait for this to complete all right so it tells us that the flag 2 is under the windows system32 config flag it's under that directory and it's actually found it which is cool so we can get the contents of this file here uh so it's saying the file uh cannot find that so we pretty much have to go into windows uh cd system 32 that's weird and then into the config directory which should then have the flag 2 dot txt so yeah this is quite a large directory that's why you can see it's actually taking a while so uh what directory is that again uh config i believe it's the config directory so cd config and we'd actually want to list anything there so flag2.txt hit enter and it says the flag name is sam database elevated access okay so we'll put in the the flag to right over here and uh that looks like it is complete all right so that was a fair again a simple box but very very good i like the part uh where it actually covers possible cracking because it really on other systems or other ctfs that's not encouraged or it isn't done you're simply just looking for flags so overall i really like triacmi we'll be going through the next machine so completed blue check out ice so we're going to take a look at that right now actually but that being said thank you very much for watching let me know what you guys uh thought if you have any comments feedback suggestions or love to hear what you guys have to say if you have any questions or suggestions let me know in the comments section or on my social networks either on twitter or linkedin or if you want to join the discussion on this particular video you can join our forum at forum.hackersploit.org and there'll be a special thread set up for every video so you can join in uh and actually communicate and discuss with other users or par any other user part of the audience that being said that's going to be for this video and i'll be seeing you in the next video i just want to take a moment to thank all our patreons at patreon.com forward slash hackersploit for all the support your support and help is truly appreciated you keep us making newer and fresher and better content so i just want to say thank you to all the patreons so thank you murph the surf daniel bork jonathan kyle adam mack jamal guillory defean barry jeremy nikolai marihara max ciao dustin empress michael hubbard and jerry speds [Music]

Info

Channel: HackerSploit

Views: 23,344

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, kali linux, tryhackme, linux, hacking, tryhackme walkthrough, tryhackme review, tryhackme vulnversity, tryhackme basic penetration testing, tryhackme basic pentesting, tryhackme blue, tryhackme learn linux, tryhackme linux, tryhackme king of the hill, tryhackme vulnversity walkthrough, tryhackme openvpn, tryhackme metasploit walkthrough, tryhackme tutorial, tryhackme blue without metasploit, eternalblue, eternalblue exploit

Id: 32W6Y8fVFzg

Channel Id: undefined

Length: 25min 23sec (1523 seconds)

Published: Thu Dec 17 2020