TryHackMe | Blue

So recently I started to try my hand at vulnerable boxes, and some of my friends recommended a website called “TryHackMe” because it’s a little nicer to beginners than some VulnHub/HackTheBox boxes are, so I decided to go for it! Here is a short overview of my journey exploiting this box.

If you have any questions, feel free to leave a comment. Some of my answers/explanations may not match up to the answers I gave on TryHackMe, and that is just because they expected a very linear approach and I accidentally went off and used an exploit that did basically the same thing, just in a different way.

So our first task is to scan the machine. TryHackMe gives you an IP, so I booted up Kali, started using ZenMap (yeah I know, I’m a pleb), and hit the machine with an intense scan. The only reason I started with the intense scan is because this is just a box challenge, a normal scenario would require a bit more finesse.

And as you can see outlined in red, I was able to find the three ports that are open that were under 1000.

So, since this box is based off of EternalBlue, and there is an nmap scan specifically for these vulnerabilities, I created a new custom ZenMap profile and did a custom scan looking for these vulnerabilities, plus a few other things.

Now, you can see that this box is definitely vulnerable to the vulnerabilities we were looking for.

In this pic, you can see what options are available in Metasploit to use to get into this box. I would recommend attempting this exploit in any other way than using Metasploit (just for the sake of experience), or at the very least, find a small script yourself (like a python one), study the script a bit, and then use it to exploit the box. The only reason I didn’t, was because I was racing a friend on this box.

Also, you’ll see that I set all of the options for Metasploit to exploit the box successfully.

Hitting “run”, and we’ve got a successful session on the machine, we will want to background this session, just to check a couple other things out real quick.

Running ifconfig, it comes back successfully identifying that we are on the machine now.

getsystem also identifies that we have Admin as well.

Starting a shell, and running whoami, shows that kind of system we are on, and what authority we have.

And we migrated our session to a different service ID on the system successfully. During this though, our process may or may not die, so we might need to restart it!

The three main reasons for migrating the process is:

  1. You have an unstable shell and might need to move to a more “robust” process.
  2. Some exploits require an interactive session (AKA not session 0).
  3. You need to migrate from a 32-bit process to a 64-bit operating system.

You can read more about process migration here.

Using hashdump, we can see that there are three users on the computer. We want into the “Jon” user account though, so we are going to grab that hash and try to crack it.

Luckily, the hash itself is pretty easy to crack using an online database, and we get the password, which is “alqfna22”.

And just as a side note, sites like crackstation don’t usually actively crack hashes for you. They just match the hash up to a preexisting one in their database and give you the result. So it’s a quick and easy way to do it if you don’t feel like actually going through the cracking process, and sometimes you get lucky and find matches.

Now we are on the hunt for flags. Using search search -f flag*.txt we were able to find all of the text files with the word “flag” on the box. The asterisk at the end before “.txt” is a wildcard, which is why flag1, flag2, and flag3 all showed up. All that’s really left is to traverse to those parts of the directory and see what’s inside those files.

This box was a great experience for a beginner like me, and I had a ton of fun working on it! It took me just barely under an hour, and was very short but sweet, and has encouraged me to continue to try out more boxes.

Thanks for giving this a read!

Leave a Reply

Your email address will not be published. Required fields are marked *