https://tryhackme.com/room/blue

This is my first public write-up for an online hacking challenge and we are starting with the box called “Blue” from the site tryhackme.com. The goal here is not just to show how to complete all the tasks but to also provide additional information as to why.

Also, keep in mind that I try hard to be accurate but I’m not perfect and I am myself a perpetual learner. If you see something here that you know is inaccurate please let me know and I’ll be happy to make changes.

Task 1 - Recon

After we’ve connected to the tryhackme network the first task is to do reconnaissance on the target. I am using Kali Linux as my attack box, which includes several different scanning tools, but Nmap will be our go-to.

Nmap has hundreds of different scan options but we are going to use the following:

-sC (script scan): Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission. https://nmap.org/book/man-nse.html

-sV (version detection): After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux). When possible, Nmap also gets the Common Platform Enumeration (CPE) representation of this information. https://nmap.org/book/man-version-detection.html

-oA <basename> (output to all formats): As a convenience, you may specify -oA <basename> to store scan results in normal, XML, and grepable formats at once. They are stored in <basename>.nmap, <basename>.xml, and <basename>.gnmap, respectively. As with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/ on Unix or c:\hacking\sco on Windows. https://nmap.org/book/man-output.html

Shoutout to IppSec and his amazing videos where he occasionally uses these particular scans to start his recon.

An alternative to using the -sC command is to use —script and the vuln category to try and identify weaknesses in your target.

--script <category> (Nmap Scripting Engine ‘NSE’): Specify the --script option to choose your own scripts to execute by providing categories, script file names, or the name of directories full of scripts you wish to execute. https://nmap.org/book/nse-usage.html#nse-categories

vuln: These scripts check for specific known vulnerabilities and generally only report results if they are found. Examples include realvnc-auth-bypass and afp-path-vuln.

Below, we see that Nmap is indicating the target may be vulnerable to ms17-010 (on the left) and we can verify this using Metasploit (on the right).

Metasploit is another powerful yet complex tool that has many options and features. We start by simply doing a search for ms17-010 and we find that there are both auxiliary and exploit modules tailored for this particular vulnerability.

search: The msfconsole includes an extensive regular-expression based search functionality. If you have a general idea of what you are looking for, you can search for it via search. https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/

auxiliary/.../.../: Auxiliary modules include port scanners, fuzzers, sniffers, and more. https://www.offensive-security.com/metasploit-unleashed/modules-and-locations/

exploit/.../.../: In the Metasploit Framework, exploit modules are defined as modules that use payloads. https://www.offensive-security.com/metasploit-unleashed/modules-and-locations/

Let’s use the auxiliary scanner to see what we turn up with.

If we look at the description for module #1 we see that it is used for “MS17-010 SMB RCE Detection” - the key word here being detection.

To use a module in Metasploit you just type the word “use” and then the full path to the module. We can just copy it from our search output to make it easy.

options (set): The set command allows you to configure Framework options and parameters for the current module you are working with. https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/

set (RHOSTS): <IP ADDRESS>

Metasploit has confirmed what we already knew that the target host is indeed vulnerable to the ms17-010 EternalBlue exploit.

Our recon is done and we can complete the task challenges

Task 2 - Gain Access

Now that we know what exploit to use lets go ahead and load it up.

This module has four required settings and three of them are automatically configured for you. The only thing you have to do is provide a target so we use the command:

set RHOSTS 10.10.104.155

Everything is locked and loaded so let’s pull the trigger.

windows (whoami): Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami

windows user account (system): The SYSTEM account is the highest privilege level in the Windows user model. It exists to provide ownership to objects that are created before a normal user logs on, such as the Local Security Authority Subsystem (LSASS) and the Session Management Subsystem (SMSS). https://security.stackexchange.com/questions/66743/system-account-in-windows

We have now gained a foothold on the target so we can mark the task challenges as complete.

EternalBlue

Before we go any further let’s pause for a moment. A lot of people (myself included) often barrel through challenges like this without ever stopping to think “What am I doing? How and why does this exploit actually work?”. We don’t need to be subject matter experts on every technical detail of everything we ever do but as professionals we should strive to have at least a basic understanding of our tools and techniques.

Rather than recreate the work of people much smarter and more capable than me I will simply give you my own abbreviated explanation and link directly to more in-depth resources that you can check out on your own.

TL;DR - EternalBlue affects unpatched Windows versions earlier than 8 by exploiting a vulnerability in the SMBv1 protocol to cause a buffer overflow that ultimately leads to remote code execution. EternalBlue was the main attack vector used by the WannaCry ransomware to target and exploit it’s victims.

A decent amount of information without getting too deep in the weeds:

SMB Exploited: WannaCry Use of "EternalBlue"

Your lips are wrapped solidly around the fire hose and they are opening the hydrant:

EternalBlue – Everything There Is To Know

DEF CON 26 - zerosum0x0 - Demystifying MS17 010 Reverse Engineering the ETERNAL Exploits

Task 3 - Escalate

This task requires us to escalate our privileges on our target machine. We saw previously that after running our exploit we already had SYSTEM but for the sake of the challenge (and this write-up) we will go through it anyways.

We left off with shell access on the target so to get back to our local terminal we type CTRL+Z and select “yes” when metasploit asks us if we want to backround our session.

Take note that this is “session 2” since we will be coming back to it later…

The challenge wants us to convert our “regular” shell access on the target to a “meterpreter” shell; naturally there is a module for that, all we need to do is load it.

One of my (many) quirks is that when I’m pivoting around an app I like to start at the root and move around from there (i.e.- in a Linux terminal doing a cd back to / before moving into another directory) . This is slightly inefficient but I do it anyway - I just wanted to call it out so that you, dear reader, don’t get the impression from the screenshots that you should to do the same thing :)

From the module console you can use the back command to move back to the main MSF console. Use the search command to find anything related to Meterpreter.

Now that we’ve found our shell converter we can copy the module path and load it. The first thing to do after loading a module is to check it’s settings for requirements - in this case we need to tell the module which session to bind to.

After setting all the required options we run the module.

If you ever forget what sessions you have running in the backround you can use the sessions command to list them.

To interact with a given session, you just need to use the -i switch followed by the ID number of the session.

Meterpreter

We are going take another short pause to talk about meterpreter before moving on.

“Meterpreter is one of the flagship products in Metasploit and is leveraged as a payload after a vulnerability is exploited. A payload is the information returned to us when we trigger an exploit. For example, when we exploit a weakness in a Remote Procedure Call (RPC), trigger the exploit, and select Meterpreter as the payload, we would be given a Meterpreter shell to the system. Meterpreter is an extension of the Metasploit Framework that allows us to leverage Metasploit’s functionality and further compromise our target. Some of this functionality includes ways to cover your tracks, reside purely in memory, dump hashes, access operating systems, pivot, and much more.”

Kennedy, David. Metasploit: the Penetration Testers Guide. No Starch Press, 2011.

Side note: the official Metasploit book cited above is a good resource that I would recommend you check out - with the caveat that you understand it is very much out of date. The metasploit application is continually being developed and updated while the book is not (the lab machines they use are Windows XP and Ubuntu 9.04!). Personally I don’t think the book is worth full price anymore but if you get the opportunity to pick it up as part of a Humble Bundle or something then definitely go for it.

From our meterpreter shell we can attempt to escalate our privileges to SYSTEM.

meterpreter (getsystem): Attempt to elevate your privilege to that of local system. https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

meterpreter (shell): The shell command will present you with a standard shell on the target system. https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

The next challenge after escalating our meterpreter shell is to migrate it into another process. Let’s move our standard shell back to meterpreter using CTRL-Z and run the ps command.

We see a list of all running processes on the target machine. I chose to target svchost.exe but you can choose whichever one suits you (just make sure the process owner is SYSTEM).

Were you curious how meterpreter actually manages to inject itself into another running process? Me too!

TL;DR - meterpreter does several syscalls to the Windows API to query the target process, snuggle itself into it’s virtual memory space, and kill the old process.

How does process migration work in Meterpreter

That should do it for this task so we can now mark all the challenges as complete.

Task 4 - Cracking

Now that we have complete control of the target machine lets grab some loot. The task challenge wants us to grab all the password hashes on the machine so lets let meterpreter do the work.

Password Hashing

Let’s take another detour to talk about passwords.

When you create a password on your computer it doesn’t get stored in plaintext - the computer “hashes” it and stores the hash value instead.

Hacker Lexicon: What Is Password Hashing?

“Hash is both a noun and a verb. Hashing is the act of converting passwords into unreadable strings of characters that are designed to be impossible to convert back, known as hashes. Some hashing schemes are more easily cracked than others.”

Greenberg, Andy. “Hacker Lexicon: What Is Password Hashing?” Wired, Conde Nast, 3 June 2017, https://www.wired.com/2016/06/hacker-lexicon-password-hashing/.

The WIndows OS used to rely on LM hashing to store passwords (LM Hash Details) but has since moved over to using NTLM.

Looking at the hashdump above we can break one of them down into it’s component parts (each separated by a colon):

user: Jon
RID: 1000
LM hash: aad3b435b51404eeaad3b435b51404ee
NT hash: ffb43f0de35be4d9917ac0cc8ad57f8d

There are several techniques used to go about cracking passwords and the situation you are in will determine which technique and which tool to use it with.

For this challenge I am using HashCat without any GPU acceleration.

The first step is to take the hashes we have and cut out everything but the username and NT hash. Save that as a regular txt file and call it whatever you want.

The next step is to simply run hashcat against the file you created with a few particular options set.

When HashCat successfully cracks a hash it will append the password to the end of the hash.

option (--username): Enable ignoring of usernames in hashfile
option (--show): Show cracked passwords only
-a (attack mode): 0
-m (hashtype): 1000
hashfile: hashes.txt
wordlist: /usr/share/wordlists/rockyou.txt

Voila! Jon’s password is alqfna22.

The attack method we used is called a “dictionary attack” wherein the tool takes a pre-existing list of passwords (rockyou.txt in this case), hashes each entry using the hash type we specify (NT, or 1000 in this case) and compares them against the list of hashes we provide it (hashes.txt in this case).

There are other attack methods and options with HashCat and I recommend you check out their wiki.

Task 5 - Find Flags!

The last task is to find a few flags planted on the target and this is where real life and practice challenges diverge. In a production network you aren’t looking for flags - you want data. As the attacker (or the whitehat pentester) once you have reached the point where you have gained a foothold and compromised one or more legitimate user accounts it’s time to A) collect sensitive data and B) look for opportunities to compromise more targets.

Regardless of whether you are looking for simple text file flags or sensitive company data the techniques to find them can be the same.

You can view the contents of each flag by using the Windows type command.

The file path is certainly correct but Windows is telling us it can’t find it. This is actually caused because of the spaces in the directory “Documents and Settings” - the OS interprets that first space after the word Documents as the end of the file path and since there is no “C:\Documents” folder it errors out.

The way to get around this is to use quotation marks around the directory so that Windows knows to interpret the spaces as being part of that directory.

File Permissions

Lets talk a bit about file permissions - super boring but super important.

A good resource for learning about Windows file permissions (amongst a plethora of other foundational topics) is the free SANS Cyber Aces course. It too is a bit dated but still well worth your time to go through. Also, you can’t argue with free, right?

File permissions in Windows are controlled using DACLs (Discretionary Access Control List). To view these DACLs you can use the icacls command:

Among other things the icacls command will show you which user groups have access to a particular folder/file. Contrast the permissions for the root C: directory (above) with the permissions for Jon’s personal documents folder:

Any user in the Authenticated Users group can access C: but only admins and Jon can access files in Jon’s document folder. Let’s say that there was another user on the target called Jane; if we had popped Jane’s account instead of Jon or SYSTEM then we would not be able to access the flag in Jon’s folder.

That is one reason why attackers and pentesters will strive to escalate their permissions as high as possible - so as to have the broadest access to folders and files on the system.

You can view which groups a user is part of by using the groups command:

Now that we’ve found the three flags lets complete the task.