TryHackme: Blue Walkthrough



Task 1: Recon

After we've connected to the tryhackme network the first task is to enumerate the target.

We use Nmap for scanning the target IP.

Command Used: nmap -sS -Pn <target-ip>

-sS: Scan using TCP SYN scan

-Pn: Treats all host as online --skip host discovery




Next we used a command to find the vulnerability on the target machine.

Command Used: nmap --script vuln <target-ip>

--script: Specify the --script option to choose your own scripts to execute by providing
categories , script file names, or the name of directories full of scripts you wish to execute.

vuln: These scripts check for known vulnerabilites and generally only report results if they are found.

Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit.




To start Metasploit use command "msfconsole"

We start by simply doing a search for ms17-010

Here we use module 2 i.e. exploit/windows/smb/ms17_010_eternalblue

To use a module, we simply type the word “use” and then the full path to the module or the serial number at which that module is written.

options: displays global options or for one or more modules.




Our recon is done, and we can complete the task challenges



Task 2: Gain Access

Now, we know which exploit to use, so let’s move forward.

This module has four required settings and three of them are automatically configured for you. The only thing you have to do is provide a target, so we use the 
command: set RHOSTS <target-IP>

set: The set command allows you to configure Framework options and parameters for the current module you are working with.




Once we are done configuring the required settings for the module, we can run it by typing either “run” or “exploit”.

If everything goes well, we will receive a WIN flag that means the exploit was run successfully on the machine and the session was created.




windows (whoami): Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and username.

We have now gained a foothold on the target so we can mark the task challenges as complete.




Task 3: Escalate

This task requires us to escalate our privileges on our target machine.

We left off with shell access on the target so to get back to our local terminal we type background and select “yes” when metasploit asks us if we want to background our session




The challenge wants us to convert our “regular” shell access on the target to a “meterpreter” shell; naturally there is a module for that, all we need to do is load it.

We use the “search” command to find anything related to the meterpreter.





Let's go ahead and set our current module to the converter and check the options we'll have to set.



Looks like we'll have to set which session we need to convert, let's list our sessions

The session command allows us to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNC, etc.




Let’s set the session to 1



-u: Upgrade a shell to a meterpreter session on many platforms.

-i: To interact with a given session, we just need to use the -i switch followed by the Id number of the session.

Now we need to interact with the 2nd session.




Let’s move our standard shell back to meterpreter using CTRL-C .

Let's go ahead and make sure we have system level privileges.

meterpreter (getuid): Running getuid will display the user that the Meterpreter server is running as on the host.

meterpreter (shell): The shell command will present us with a standard shell on the target system.



Now, let's list all the processes running on the system using “ps” command. Look for a process running as nt authority\system from this list generated.

I chose to target winlogon.exe but you can choose whichever one suits you (just make sure the process owner is SYSTEM).




meterpreter (migrate): Using the migrate post module, we can migrate to another process on the victim.

Once a process is found, type migrate PROCESSID, where PROCESSID is the id of the process we are migrating to (left column of the ps table generated previously)

This task is complete so we can now mark all the challenges as complete.



Task 4: Cracking

The task challenge wants us to grab all the password hashes on the machine so let meterpreter do the work.

meterpreter (hashdump): The hashdump post module will dump the contents of the SAM database.



Simply we can use online hash cracking website. CrackStation

Jon’s password is alqfna22.

And this completes our 4th task.




Task 5: Find flags!

The last task is to find a few flags planted on the target.

meterpreter (search): The search commands provide a way of locating specific files on the target host. The command can search through the whole system or specific folders.
Wildcards can also be used when creating the file pattern to search for.

We need to learn below commands for this:

pwd=print the current working directory
dir =lists the files in the current directory
cd.. =go back
cat =view the contents of the file


Voila! We got all the 3 locations of flags. Now we can go to the directory and see the flag contents using the “cat” command.

meterpreter (cat): It displays the content of a file when it’s given as an argument.









Now that we’ve found the three flags let's complete the task.

Popular posts from this blog

Calculat3 M3 | CTF Learn

CTF - Dina : 1.0.1 walkthrough