TRYHackMe: Blue Machine Solution
In this article, we will share the solution of the Blue machine?available on Tryhackme?.?After Deploying Room, we get the IP address it gets.
First, we do an nmap scan.
Here I also added the –script vuln parameter.?Thus, we have also had Nmap scan for vulnerabilities using the Nmap Script Engine.?You can use Nessus?or?Openvas?for broader vulnerability scans in real-world applications?.
As a result of the Nmap scan, you can see the vulnerabilities in the VULNERABLE section.
Here is one of the most famous Windows vulnerabilities?ms17-010
We know that there is a metasploit exploit for this vulnerability.?We're running the Metasploit Framework right now.
To use the exploit listed in the 3rd row, it is enough to type?use 3?.
With the show options command, you can see the options that need to be set to exploit.?It is enough to set the target machine IP address with the RHOSTS parameter.
We fire it with the exploit?command.?If the exploit is successful, you've won.
As you can see above, we have gained access to the target system.?Let's put this session in the background by pressing Ctrl+Z.
Thanks to the exploit, we will use the famous Meterpreter payload in order to do what we want in the target we reach and to be a more privileged user (root for Linux, Administrator for Windows).?We use the?use/post/multi/manage/shell_to_meterpreter?command for this.
The option we need to set is?session .?When we use this command, the sessions we previously obtained thanks to the exploit appear.?We wrote?set session 1 and then sent the payload with the?run??command.
When we looked at sessions again, we saw that we were logged in with an authorized user.?Now we write the session id of the -i parameter to open a meterpreter session with this authority.?The command we need to use is?sessions -i 2
We got a meterpreter session.?Let's see if we get privilege in the system.?We saw that we were admin when?whoami pulled.
Now let's try to obtain the user name and password information of the users in the system.?If you pay attention, they are asked in the questions that we need to answer.
We return to the meterpreter with Ctrl+Z and list the running processes with the ps command.
Being privileged at the system level may not be enough.?So we need to migrate a process with privileged permissions (here SYSTEM).
领英推荐
Now we can get hashes of user information with hashdump.
I saved the hash values of the Jon user to a file named win7.txt with the nano editor.
Now let's try to crack this hash value with the john the ripper tool.
As you can see above, Jon's password is alqfna22.
Now let's go to the C: directory and start looking for flags.
We found the first flag in the C: directory, and we can look at its contents with the?cat?command.?We found the first flag as access_the_machine.
We start to search for the 2nd and 3rd flags in other directories.?Let's take a look at the Windows/System32/config directory
We also caught the 2nd flag (flag2.txt) here.?Again, you can look at the content with cat.
Next is the last flag.?We also find this in Jon's Documents directory.