Blue Try Hack me room

Task 1 → recon

How many ports are open with a port number under 1000?

there are just only 3 ports under 1000

What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)

Nmap script tried 3 payloads but only ms17–010 worked
answer — ms17–010

task 2 →Gain Access

Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)

exploit/windows/smb/ms17_010_eternalblue

Show options and set the one required value. What is the name of this value? (All caps for submission)

in here we need to put the target IP in the exploit set RHOSTS <target_IP>
RHOSTS

Task 3 →escalation

f you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

to get a meterpreter shell press CTRL+Z to create a background session. now will go to MSF console again
then type session -u 1 which mean duplicate the session with a meterpreter session
then use Session 2 to enter

post/multi/manage/shell_to_meterpreter

Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)

SESSION

List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

here I am gonna use 708 PID

Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

migrate 708

Cracking

Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

there are 2 defult users and 1 non-default user
Jon

Copy this password hash to a file and research how to crack it. What is the cracked password?

alqfna22

Task 5→Find FLAG

Flag1? (Only submit the flag contents {CONTENTS}) This flag can be found at the system root.

Flag2?

Flag 3

--

--

--

Associate security Engineer At Hsenid mobile

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Scaling online reservation systems

PSA: Getting Ready to Launch an NFT Collection on WAX? Here’s what you need to do!

Quantum Teleportation From Scratch to Magic. Part 2 — Doing It on a Real Device

Dockerfile — best practices

Ecotect Download Free

New Velas Wallet 2.0 Migration

5 On-Call Practices to Help you Sleep through the Night

ARRL DX Bulletin №0014

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mohomed arfath

mohomed arfath

Associate security Engineer At Hsenid mobile

More from Medium

Mr Robot CTF Writeup

OSINT: Do I have to Capture The Flag(CTF)? Pt1.

A simple flag laying on wood. Chosen to represent the simple CTF we are creating but also it’s a flag and that seemed like a good leading image given the title of the article.

TryHackMe : Bounty Hacker Walkthrough

Tryhackme Daily Bugle