🪟Blue Room TryHackMe

Deploy & hack into a Windows machine, leveraging common misconfigurations issues.

Introduction

In this room we are going to learn about eternal blue exploit.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

On May 12, 2017, the worldwide WannaCry ransomware used this exploit to attack unpatched computers. On June 27, 2017, the exploit was again used to help carry out the 2017 NotPetya cyberattack on more unpatched computers.

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer. Source: Wikipedia

Blue Room TryHackMe

Room Initial View

Initial room view

Room Tasks

The questions given in the room to be solved

The Room has 5 tasks to be solved. Task 1: Recon Task 2: Gain Access Task 3: Escalate Task 4: Cracking Task 5: Find Flags!

Lets start the machine and complete the tasks.

Task 1: Recon

lets take a look at the questions from task 1

These are the questions given in Task 1

now to get the answers for this questions we need to scan the target machine ip with Nmap.

Scanning the target

I opened the attack box and started the Nmap scan.

root@attack-box:~# nmap -A -sV -script vuln  [target-ip]

Scan result from Nmap

root@attack-box:~# nmap -A -sV -script vuln  [target-ip]

Starting Nmap 7.60 ( https://nmap.org ) at yyyy-mm-dd hh:mm GMT
Nmap scan report for attack-box
Host is up (0.00044s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_sslv2-drown: 
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49160/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 02:B4:F6:22:77:31 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Network Distance: 1 hop
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms attack-box
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.88 seconds

now with this scan we found the how many ports are open and also the vulnerability's in the machine given.

Now with the information gathered we can answer all the questions in Task 1

Task 2: Gain Access

Question's in Task 2

In Task 2 to get the answers we need to use Metasploit.

Lets start metasploits

after the Metasploit has open'd search for 'ms17-010' since we found that the vulnerability from Nmap scan.

Lets check the options and use the exploit

Set RHOST to the target machine ip

Now we exploit and wait for the exploit to finish.

Exploit completed and succesful.

Some times the exploit might fail but just run it again or restart the machine.

my exploit was success and even the meterpreter session was created.

now type shell to open cmd of the victim.

shell successful

if you are running from kali VM make sure to set LHOST as tun0.

now with the information gathered we can answer all the questions present in task 2

Task 3: Escalate

Let's take a look at the questions from task 3

Task 4: Cracking

lets taka look at the questions from task 4

to crack the hashes we use john with rockyou.txt as the wordlist

if this is your first time using the rockyou.txt wordlist you need to first unzip it and then use it

unziping rockyou.txt.gz

make sure that only the username and the hash are present in the hash file

now run john against the hash's we get the password in plain text.

cracking hash with john

How to Crack NTHASH (commonly referred to as NTLM) password hashes?PwnDefend

you can also check this page to crack the NTLM passwords.

now with the information gathered we can answer all the questions present in task 4.

Task 5: Find Flags!

now to find the flags we go to the starting of the directory and search for the file name with flag

dir *flag*.txt /s

now we found the locations of the flags.

submit the flags and enjoy your new blue batch when completed.

Until next time...