# Blue Room TryHackMe

## Introduction

In this room we are going to learn about eternal blue exploit.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

On May 12, 2017, the worldwide WannaCry ransomware used this exploit to attack unpatched computers. On June 27, 2017, the exploit was again used to help carry out the 2017 NotPetya cyberattack on more unpatched computers.

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer.\
\
Source: Wikipedia

## Blue Room TryHackMe

### Room Initial View

<figure><img src="/files/EJcjpnXRnVY1WUF3Wbe5" alt=""><figcaption><p>Initial room view</p></figcaption></figure>

Room Tasks

<figure><img src="/files/QD9QwbKc95Gb9DX8jBQz" alt=""><figcaption><p>The questions given in the room to be solved</p></figcaption></figure>

The Room has 5 tasks to be solved.\
**Task 1: Recon**\
**Task 2: Gain Access**\
**Task 3: Escalate**\
**Task 4: Cracking**\
**Task 5: Find Flags!**

Lets start the machine and complete the tasks.

## **Task 1: Recon**

<figure><img src="/files/1fruwlzVcYEBe9mWn1rs" alt=""><figcaption></figcaption></figure>

lets take a look at the questions from task 1

<figure><img src="/files/bqeBt93qLmGJ7iH5NIOE" alt=""><figcaption><p>These are the questions given in Task 1</p></figcaption></figure>

now to get the answers for this questions we need to scan the target machine ip with Nmap.

### Scanning the target

I opened  the attack box and started the Nmap scan.

```sh
root@attack-box:~# nmap -A -sV -script vuln  [target-ip]
```

Scan result from Nmap

{% code overflow="wrap" %}

```shell
root@attack-box:~# nmap -A -sV -script vuln  [target-ip]

Starting Nmap 7.60 ( https://nmap.org ) at yyyy-mm-dd hh:mm GMT
Nmap scan report for attack-box
Host is up (0.00044s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_sslv2-drown: 
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49160/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 02:B4:F6:22:77:31 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Network Distance: 1 hop
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms attack-box
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.88 seconds

```

{% endcode %}

now with this scan we found the how many ports are open and also the vulnerability's in the machine given.

Now with the information gathered we can answer all the questions in Task 1

<figure><img src="/files/6ph5t9PEsteGn4OAnlFZ" alt=""><figcaption></figcaption></figure>

## **Task 2: Gain Access**

<figure><img src="/files/vZxrFi20VuGrF87dSTqI" alt=""><figcaption><p>Question's in Task 2</p></figcaption></figure>

In Task 2 to get the answers we need to use [Metasploit](https://tryhackme.com/room/rpmetasploit).

Lets start metasploits

<figure><img src="/files/Uf0hNghi3uc5T8O0H4fm" alt=""><figcaption></figcaption></figure>

after the Metasploit has open'd search for 'ms17-010' since we found that the vulnerability from Nmap scan.

<figure><img src="/files/1pal6gK6HEP4XDz9So1H" alt=""><figcaption></figcaption></figure>

Lets check the options and use the exploit

<figure><img src="/files/xVcT1ZXrzfwAHXujsK7F" alt=""><figcaption></figcaption></figure>

Set RHOST to the target machine ip

<figure><img src="/files/eYQ15OFSMDkZgjIautcq" alt=""><figcaption></figcaption></figure>

Now we exploit and wait for the exploit to finish.

<figure><img src="/files/9fDRmyVAfCqAsRmaQNjm" alt=""><figcaption></figcaption></figure>

Exploit completed and succesful.

<figure><img src="/files/dmb6g3V41AodT8EzpEHH" alt=""><figcaption></figcaption></figure>

Some times the exploit might fail but just run it again or restart the machine.

my exploit was success and even the meterpreter session was created.

now type shell to open cmd of the victim.

<figure><img src="/files/ca4TBrq2CE9p7Xow6Mx0" alt=""><figcaption><p>shell successful</p></figcaption></figure>

*<mark style="background-color:yellow;">if you are running from kali VM make sure to set LHOST as tun0.</mark>*

<figure><img src="/files/W9WxMbaVNVx4roC92woz" alt=""><figcaption></figcaption></figure>

now with the information gathered we can answer all the questions present in task 2

<figure><img src="/files/uCWrlK4nkqusV5gJAESA" alt=""><figcaption></figcaption></figure>

## **Task 3: Escalate**

Let's take a look at the questions from task 3

<figure><img src="/files/DzCGqMTx9CzGGeKDj2Dn" alt=""><figcaption></figcaption></figure>

## Task 4: **Cracking**

lets taka look at the questions from task 4&#x20;

<figure><img src="/files/dVoyagHVz7cPZz6Il4mO" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/fujmXJLpmvE16TUj3sOT" alt=""><figcaption></figcaption></figure>

to crack the hashes we use john with rockyou.txt as the wordlist

if this is your first time using the rockyou.txt wordlist you need to first unzip it and then use it

<figure><img src="/files/bryfRykx8FA4JlUOi4kk" alt=""><figcaption><p>unziping rockyou.txt.gz</p></figcaption></figure>

make sure that only the username and the hash are present in the hash file

<figure><img src="/files/fqUVWX6PRBGKkfjs14vv" alt=""><figcaption></figcaption></figure>

now run john against the hash's we get the password in plain text.

<figure><img src="/files/89Ss2GV3ijR2DBBk3dzc" alt=""><figcaption><p>cracking hash with john</p></figcaption></figure>

{% embed url="<https://www.pwndefend.com/2022/05/13/how-to-crack-nthash-commonly-referred-to-as-ntlm-password-hashes/>" %}
you can also check this page to crack the NTLM passwords.
{% endembed %}

now with the information gathered we can answer all the questions present in task 4.

<figure><img src="/files/dK18bQVq6M6hmEEZmWkF" alt=""><figcaption></figcaption></figure>

## Task 5: **Find Flags!**

now to find the flags we go to the starting of the directory and search for the file name with flag

```
dir *flag*.txt /s
```

<figure><img src="/files/VPzvMreSsoKsvaM15KUV" alt=""><figcaption></figcaption></figure>

now we found the locations of the flags.

submit the flags and enjoy your new blue batch when completed.

<figure><img src="/files/HLiSqD7yNhdyG7rpklUF" alt=""><figcaption></figcaption></figure>

Until next time...


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rudolfevergarden.gitbook.io/writeups/blue-tryhackme-room/tryhackme-writeups/blue-room-tryhackme.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.