A Blue Victory

Back in my article about persistence, I mentioned that I had struggled with a room on TryHackMe's platform related to the Eternal Blue exploit. It mentioned that I had begun to research more about the issues I was facing with that particular room on their platform. This article helps elaborate about some of the tasks needed in the room and how I managed to solve my previous issues and complete the room. Please note that this article doesn't serve as a walkthrough, but perhaps some of my discoveries may help you if you're going through the same room and getting stuck.

The Main Goal

For those who aren't familiar with this room on TryHackMe, the room requires a Linux VM (either your own or you can load their AttackBox through the web portal), an attack target (provided by TryHackMe in a safe and approved environment), and MetaSploit installed on the Linux VM. Once both machines are ready, the objective is to utilize Metasploit to administer the ms17-010 exploit against the target to gain administrative privileges. Once the privileges were gained, there were steps that guided on how to locate a flag, similar to a more guided Capture-the-Flag (CTF).

Problem #1

My first difficulty arrived early on in the room's tasks. I originally used an Ubuntu v20 VM where I needed to manually install metasploit. There are several methods described online on how to install metasploit. My first attempt didn't appear to be done correctly, so I reinstalled it using the specific installation guide provided by Rapid7, the makers of the metasploit framework. This was a bit more successful and I was able to load metasploit framework version 6 (msf6). I was then able to successfully deploy the ms17-010 exploit named Eternal Blue. This opened up a shell into the remote system on the target machine, which was a Windows OS. From there, it was intended to background the shell so that my command line interface would return to my msf6 console to run additional exploits. However, each time I used the command (ctrl+z) to background my terminal, it backgrounded the entire terminal including my msf6 console. This was not intended and it wouldn't allow me to progress further.

Initially I researched through google and tried to figure out what was happening. That first stage of research was how I discovered that on Ubuntu most versions background the entire shell and the user gets kicked out of msf. Next I tried to research whether there was a way to allow the process to background the remote shell but to keep msf6 open. I found a few discussions on the topic and tried their methods of maintaining the shell on msf6, but it didn't appear to work for me. After further researching, I decided to switch over to my Kali VM as it was the recommended Linux flavor for using msf. After switching over to my Kali VM, I was able to background the remote shell but keep my msf6 console on top to run the next exploit. Success!

Problem #2

After successfully loading the main Eternal Blue exploit from my Kali machine to the target Windows OS machine, I backgrounded the remote shell and returned to my msf6 console. From there, the next step was using another exploit called meterpreter. This would allow Linux commands to be run on the Windows OS environment. I was able to locate the exploit in msf6, load it up with the correct options (target machine's IP, my local IP, and the listening port), and run the exploit. But then came an error. When I encountered this error, it took some further research and it suggested that I needed to update to the newest version of msf. A quick "sudo apt update && sudo apt upgrade" updated to a newer version of msf6. Great! I loaded msf6, ran Eternal Blue, backgrounded the remote shell, ran the meterpreter exploit, and hit another error. This newest error mentioned something about a payload being too big. At first I was confused as the payload was what had been recommended by the TryHackMe room's instructions.

After searching the web for several days, I wasn't able to find anything directly that solved the problem. There were a few additional adjustments to configuration files that I tried, but nothing quite worked. Only after encountering a conversation within a groupd Discord channel that I'm part of did I see a discussion that might solve the problem. A member of the community suggested that they had success running the exploit using msf5. Following up, a senior member of the group suggested trying to downgrade from msf6 down to msf5 and then run the exploits again. So I took that advice, researched how to downgrade via Linux, and ran the exploits on msf5. And what do you know, it worked! I was able to successfully load the meterpreter shell without any errors. Once I had that, I was able to successfully continue on through the room and complete the tasks fully.

Conclusion

The main solution to my issue was downgrading from msf6 to msf5 in order to complete the Blue Room on TryHackMe.com. Going through this process was slightly frustrating and required me taking a few breaks to step back and reassess the situation. But it goes to show you, keep pushing through those frustrations and you'll eventually find the answer. Keep connecting with others who are pursuing similar interests and you'll have support to help you.