[ Blue ] - TRYHACKME

By -

Hello guys Today i am going to do walkthrough on the machine called Blue. This is very easy box based on the vulnerability of EternalBlue(CVE-2017-0143). As usual first thing we are going to do is scanning the network using the nmap tool to see which ports are open and which services are running on this machine.

The flags used in the nmap scan are:
-sS - for a syn scan
-sV -for a service version scan
-O - to identify the OS used
-T4 - the speed of scan
-open - to show only the open ports

We notice the service running on the port 445 is SMB so we can use nmap script engine to verify this service is vulnerable or not for EternalBlue vulnerability.

The flags used are:

-p - to test only the port provided(in this case 445)
--script=smb-vuln-ms17-010 - the nmap script to run against our target
The output of the scan is shown us to machine is vulnerable.

Metasploit already has this exploit, so let's fire it up to gain access.
To start the metasploit console just run the command msfconsole. Once the console is shown in the terminal type the command:
search eternalblue.
I'll be using windows/smb/ms17_010_eternalblue because we know from initial NMAP scan that the target is running Windows 7. So let's configure the exploit and run against the machine. To configure the exploit type following command:
use windows/smb/ms17_010_eternalblue
Now check the options using the command show options. After typing this we have several configurations but in this exploit we have to setup only RHOSTS.
To do this type the command:
set RHOSTS  <ip of the vulnerable/target machine>
Now all configuration is complete it's time to run the exploit.
To do this type the command:
run/exploit
You should output similar like this:


This machine have three flags capture one by one . You can get the first flag1.txt from the home directory located in c:\flag1.txt second one in the  c:\Windows\System32\config\flag2.txt where is the actual location of the sam database third one is in the jon document folder location is c:\Users\Jon\Documents\flag3.txt

we have some more tools in our hand, we'll upgrade our os shell to meterpreter shell. Background the session with CTRL+Z, and search shell_to_meterpreter post module. use this module and upgrade your session using this module to do this type set session <your_session_id>. After setup of session type run/exploit to run this post to upgrade your shell. To get NT AUTHORITY/SYSTEM(privileged user/admin) we can use the meterpreter command getsystem which automatically escalate privileges for us.

Hello World!! I am Mayank Srivastava and i am graduated in computer application from Veer Bahadur Singh Purvanchal University. And I post tutorials on programming languages. I'd like to share some of my knowledge with everyone. And also i am interested in Cyber Security Penetration Testing.

Comments

Post a Comment

Popular posts from this blog

[ The Cod Caper ] - TRYHACKME

By -
Image
    Check out the room https://tryhackme.com/room/thecodcaper Hello everyone  this is another walkthrough blog of tryhackme, this room contains some trick to crack the linux machines root password. Room name : The Cod Caper Machine Type : Linux Task 2  We'll run nmap on the target # nmap -sV -A -p1-1000 -T4 -oN initial <target-machine-ip> Task 3 As recommended in tryhackme the cod caper room we'll use  gobuster  for the directory checking the wordlist for  gobuster  is in the task for downloading. Don't forget to user  -x  flag for specific extension search like ". html, .txt, .php " # gobuster dir -u <target_url> -w "path/of/wordlist" -x ".php" -x flag is important because we have to check the specific extension like ".html, .php" After gobuster directory bruteforcing we have admin page for login but we don't have username and password for login so we have to find the username and password to access the page. Task 4 W...
Read more

[ Basics Penetration Testing ] - TRYHACKME

By -
Image
[ Basics Penetration Testing ] - TRYHACKME.COM   This article is for basics penetration testing  1. Deploy the machine and connect to the tryhackme network. 2. Find the service exposed by the machine. For finding the service here we can use nmap  nmap -sC -sV -oN initial <machine_ip> # Nmap 7.80 scan initiated Sun Sep 27 11:26:39 2020 as: nmap -sC -sV -oN initial 10.10.38.194 Nmap scan report for 10.10 .38.196 Host is up ( 0 .077s latency ) . Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 7 .2p2 Ubuntu 4ubuntu2.4 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 ( RSA ) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce ( ECDSA ) | _ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 ( ED25519 ) 139 /tcp open netbios-ssn Samba smbd 3 .X - 4 .X ( workgroup: WORKGROUP ) 445 /tcp open netbios-ssn Samba smbd 4.3 .11-Ubuntu ( workgroup: WORKGROUP ...
Read more