 Hello everyone, my name is John Hammond and this is another try hack me video because I know a lot of you guys have been Loving that lately, and I want to get back at it. So let's dive in. I'll hop over to my Computer screen here so you guys can follow along and I'm gonna be tackling that blue machine from try hack me It's kind of an easy one. It's got a lot of users and it's really really well known It's kind of a good staple of try hack me the description is deploy and hack into a Windows machine leveraging common Misconfiguration issues, so let's go check this out It has a nice. I like this like default Windows XP banner. I love that and We can go take a look what this machine is. Is it showcasing the eternal blue exploit or MS? 17 010 010 however you want to say that Now is the exploit that kind of pseudo got released from the NSA with the shadow brokers thing and eventually kind of made for that Whole want to cry ransomware, so it's a big deal Breaks into a whole lot of Windows machines with some SMB v1 stuff and misconfiguration will essentially just grant you system access if you can point it at the machine and SMP is open then you can go ahead and roll through it. So anyway, let's dive into it This machine was created by dark star. He's one of the admins and over there at try hack me cool guy And the sequel to this machine. Oh, I want to tackle that is the ice That's another rendition of this sort of thing that I definitely want to make a video on it as well So anyway, let's join this room and we can go ahead and deploy the machine so we can go ahead and access it I'll hit that big green button to deploy and let's go ahead and create Just a folder for us to work and I'll dive into my terminal here So move into the try hack me directory. I will pseudo open VPN Our VPN key so we can go ahead and connect to that try hack me network and then reach the machine I'm using terminator. That's how I'm splitting my screen and I'll move the VPN way up to the top there Let's make a directory for us to work in I'll call it blue. Just name the box And I will get started with the read me because I think that's a good thing to do You can kind of take notes of what everything that you're working on. I Like to include my name and the date just because hey, this is good note keeping for myself And then we can go ahead and get started. So what is asked of us? We have the machine here the IP address. So I'll include that in our Notes and let's go ahead and make sure we can access it. I don't know if we can maybe it's not up yet or Because it's windows. Maybe ping is turned off We can give a little bit more time or we can just go take a look at what these challenges for us are This says scan the machine if you're unsure how to tackle this I'd recommend checking out the room for the red path and map You can totally take a hint here Again, the whole idea is to learn try hack me super duper friendly in that regard that they'll willingly give you write-ups right away Even if you haven't solved the machine you're just all about learning this thing and That's what we're here to do. So let's go back to it. See what we're working on Scan the machine. It suggested using nmap and I'll do that as well Maybe we're not getting any pings just back yet. So anyway, let's make an nmap directory Let's go ahead and nmap. I'll use tack sc tack sv enumerate versions I also want to output this to an nmap format because I think that's good to have our notes And we still have our IP address and our clipboard so I can just go ahead and paste that in I'm getting a lot of youtube notifications over here. It might be down or it's just not seeing pings So let's add tack pn in there to kind of disregard those and just scan it anyway Maybe the machine's just still not up, but I'll see if our ping is coming back Still not oh, there we go. There we go. Now he's back Okay, I guess we don't need that tack pn regardless. That's a good quick and easy one to just say nmap I don't care about your ping. Just go ahead and hammer the thing scan it It's asking us To just scan the machine. Okay, so we can mark that as complete because we are running our nmap scan It says how many ports are open with the port number under one thousand. So nmap will go ahead and scan kind of the Most common a thousand ports. I think it is. I don't know if it goes all the way up to a thousand But anyway, we'll see what results we get from nmap once that scan is done We can go ahead and work with it It says what is this machine vulnerable to enter in the form of ms. Blah blah blah example of that. Okay, so Uh, I will just discuss here for a little bit of learning I added an extra one there msf Excuse me ms. I'm not talking about metasploit here smb server This knowledge base ms 17 zero one zero critical is about eternal blue So this affects a lot of windows machines and it will immediately give you critical remote code execution So kind of a big deal Um, we can see where to track it down within metasploit And the try hack me room is really really good about actually giving you that information Again, try hack me is all about kind of guiding you and making sure that you learn. So that's a big plus Okay, now our nmap scan has returned. We see some information here. We have These and 445 isn't even showing right now Kind of an odd ball Maybe we should get a little bit more of that. Anyway, we can take a look at what we have here We are still seeing some smb os discovery So we've got windows 7 professional service pack one looks like the computer name is john pc That might be a username potentially we could totally take advantage of that If that is in fact a username And all these rpc ports you may or may not kind of consider those real If what you're working through it, you don't need those entirely But 135 for ms rpc and 139 are pretty common between net bios and you'll see that a lot on windows machines and with smb running and open Okay, that's second nmap scan returned for us I just wanted to do that one more time because I wasn't seeing 445 open and it looks like we also have 3389 So Joe's just kind of me knowing. Hey, this machine is all about smb and internal blue So it looks like we could use 135 139 445 and 3389. It's asking for under a thousand As the answer there. So it looks like we only want those three ports. So let's go ahead and submit that Number three and try to hack me. We'll tell me sweet. That's the correct answer What i'm gonna do again, just for my note keeping is just kind of save this and slap it into our read me. Let's just say Some code block here. We'll just include that And we could say what is this machine vulnerable to so answer in the form of all of these things And what I want to show you if you don't already know is that nmap can do some crazy cool things with its scripting engine So you can use tack tack script and you can also specify what kind of script you want to run from that So you can use smb and smb with a prefix with a kind of an asterisk or a wild card here We'll run everything that could use as a script under that smb family So let me go ahead and fire that off and I think I could track down Like nse scripts. There we go. Yeah, so there are tons of these over in user share nmap in my case scripts all about vnc all about tftp all about ftp tons and tons of nmap scripting engine scripts that you can go ahead and check out and see what they're really doing Let's look for those that have smb in the name So it'll look through all of these different things 17 0 1 0 is hopefully what it will trigger on But let's take a look at what that script actually is and what it's doing. So we'll fire that up in sublime text looks like this is Some cool cool stuff And if you want to do more research on the nmap scripting engine you absolutely could Just quick google search us to know what that sort of thing is and it'll explain. Hey, this is one of the coolest things that nmap can do What is all of it? You can obviously write your own you can grab some others But you'll typically want to activate it with tack tack script if you want to use a specific script And I ran a few of those with tack sc which is why you were able to see those results from the smb host discovery or the smb Security mode etc. It's at a runtime It didn't go for anything that might have been Intrusive or might do actual vulnerability scanning. So that's why when we're looking with smb as a prefix We'll also scan for that smb volm Just there we could use that as well. We could have used smb hyphen volm star and then we might be able to get more specific stuff tailored to those results We could simply run what we or what i'm kind of guiding you to the answer here that it is vulnerable to ms 17 010 or eternal blue So okay that nmap scan is taking way too long Um, so we could drill down to use a specific one if we wanted to just kind of being certain that Hey, this is what we're going to be working with. Um, we could run nmap tack tack script equals that guy On our ip address. You can see i've been hey trying to check the status of that one And it was just taking longer and longer and longer. So we could let that go Um, let's grab this syntax because we know that that's going to be the correct answer for What our try hack me room will be looking for so we can go ahead and submit that Perfect and now we can move on to task two which says gain access exploit the machine and gain a foothold It's a start metasploit. So we can go ahead and do that with msf console And it looks like our quick nmap scan had ran just fine So it is vulnerable to our ms 17 010 vulnerability remote code execution and smb version 1 And it is clearly vulnerable with severe high risk critical remote code execution vulnerability We can go ahead and abuse this because we do have Metasploit with a module has that intact. Um, let's go ahead and clear that terminal out And we'll wait to see if that big one finds any other vulnerabilities for us But msf needs to go ahead and spin up its own database and some web account stuff or whatever the things that it does I tend to just kind of whack enter every time it needs to do that and just like please give me my prompt And it will start the metasploit framework console. So we can say yep. Yeah, we did that fantastic And it says find the exploitation code. We will run against the machine What is the full path of that code? So we need to find the metasploit module that can go ahead and exploit this vulnerability ms 17 010 or eternal blue So we could do is we could literally search for ms 17 010 Or you could search for eternal blue if you don't happen to have that kind of knowledge based tag memorized And there are a lot of options here We have some auxiliary scanners that will simply verify. Hey, is this going to be vulnerable to that? And we could if we could use that if we wanted to um, if you check out the options for what this has It should just kind of ask for the our host. That's really the only one that's kind of necessary So I will go ahead and say, yeah, let's set our our host to I'll go grab the ip address here Spit that in there hit run and then our our plan our auxiliary scanner will work through and says hey That is pretty likely vulnerable to that. Anyway, that's just scanning it kind of the same thing that nmap did I think you can safely scan For ms 17 010 vulnerabilities that are actually beating up the machine because Using the exploit for eternal blue can sometimes over and over again Cause a blue screen and kind of knock the box over. So anyway, we had scanned for eternal blue We had searched for it. So we could potentially find some exploit that will work here We could just simply use kind of the most common one exploit windows smb ms 17 010 eternal blue and that is kind of the one that is Okay, average ranking I do tend to see the ps exec rendition of it that I think is the one that uses named pipes And a little is a little bit more stable and reliable But anyway, let's go ahead and fire off this one because I think that's what it's asking for We can go ahead and submit that And yeah, that's all we need So let's go ahead and use that module We can check out the options to see what we need to supply Looks like our host is the only one that is still a required parameter that doesn't have a setting The r port is required, but that is by default 4 4 5 where smb server matches message block typically listens on And it will go ahead and verify the architecture and target etc etc Anyway, we will need to go ahead and set that our host, but that is what this next question is asking for It wants it in all caps so we can go ahead and submit it And let's set that our hosts which I have in my history Let's hit run or exploit that will go ahead and fire this off It will check it, determine that it is vulnerable and it will kind of spam along Send the exploit Let's go ahead and hit completed. Yep, we did successfully run the exploit And so to confirm the exploit has ran correctly. You might need to press enter for the DOS or DOS shell to appear and we can background that Okay, so looking back at our exploit now We do have kind of this win notification here and that we successfully were able to exploit it And we do have a command shell open on the target on the box. You can see I'm in that c windows system 32 directory I do have cmd.exe DOS Execution and I can enter commands and do things on that target machine So I could kind of jump around a little bit type in who am I looks like I am the nt authority system So we have full control over this machine just from that single exploit And now we could see what else we wanted to do It's a good idea at this point to try and escalate our shell or upgrade our shell Because we have just regular cmd.exe We're a little limited in what metasploit could actually allow us to do Because if we were to be using the meterpreter shell, we could upload and download files We could run some post exploitation tools or scripts or other metasploit modules So that's something that we really want to do so we can background as they said with control z And that might actually depending on your shell background the entire metasploit program So what I tend to like to do is just enter the command background And now that will read Okay, that's something that we're actually going to background Let me get back to that session and show you that one more time interacting with session one Okay, so background is not normally a command that cmd.exe would understand typically in the windows world But because we're running within metasploit metasploit will see that and understand it and okay Oh, you do want to background and go back to your regular msf prompt So now we could run something like shell to meterpreter to actually upgrade and escalate our shell So if you wanted to you could literally just run or use shell to meterpreter And try hack me goes through a little bit of a good explanation as to what you could be doing with that here in the in their tasks That's over an escalate section here I've already filled a little bit of this out because I needed to Restart some recording because the box a little bit unstable The free version makes this a little bit hard to do on try hack me And I know obviously the eternal blue exploit itself might damage the machine a little bit That's going to hurt So we could be using that post multi-managed shell to meterpreter module And that is what metasploits going to recommend for us when we try and use Shell to meterpreter, but just to make a little bit easy on typing there We don't need to include that entire path of metasploit knows that's so common It'll go ahead and use that for us. So it puts us immediately in that module context Now the thing that we need to actually specify when we're working here is the session option because it needs to know What session are you actually going to end up using what special are you what session are going to use that is right now Regular shell cmb to the xc that we want to upgrade to meterpreter So we could set our session to any of the sessions that we have active right now In our case, we'll want to use the id just that number one here for that is our first shell that's open So I could say set session to one and then we could go ahead and hit run I also learned another cool trick you could use session tack you and I will go ahead and upgrade that with the session id If we hit enter on that Excuse me sessions. I don't know why I do that all the time. It'll go ahead and automatically figure out Okay, this is what you're trying to do with the multi-managed shell to meterpreter session And it will go ahead and start the reverse tcp handler It'll wait to go ahead and catch that and start a new exploit for you And then you'll eventually have the meterpreter callback Uh, hopefully right we could check out sessions and right now. We don't have anything called back just yet We could try and interact with our session number one Who am I Okay, and that's still alive thankfully so we can background that And it looks like okay now it's finally coming along and that sessions tack you worked for us just as well Or we could very well have just hit run or exploit from within the con context of our exploit Uh post multi-managed shell to meterpreter Anyway, now we can go check out our sessions because you see it opened session number two Which is running meterpreter So we could sessions tack I to interact with number two and now you can see I am inside a meterpreter prompt I can get uid which is kind of their equivalent to the who am I command you can see we are still Anti-authority system awesome. So we could say yep, we ran all that Entered the session there ran it We might needed to we might have needed to Re-exploit the machine if things kind of fell apart which it did in my case. So I know this one is a little bit sensitive and kind of broken Verify that we've escalated anti-authority system. You can run get system to confirm this. So let's go ahead and do that Get system will kind of by default try a couple different avenues and routes to Determine or find some way to get the anti-authority system account Maybe do some uac bypass or other things or pipe impersonation In our case, we already were anti-authority system. So we wouldn't need to run that but again confirm So feel free to open a doc shell via the command shell and run who am I so we could do that Shell will let you in to a small command prompt here, which you can hit Who am I and then you could control c to break out of that and it'll terminate that channel and throw you back into your interpreter session So say that's done list all the processes running the ps command Just because we are system doesn't mean our process is find a process toward the bottom that is running as anti-authority system And write down the process id in the far left column. Okay, so just some learning just some kind of understanding with what metaspoid and interpreters doing If I run ps you can see the process listing here the parent or excuse me the pit the process id and the ppid the parent process id The name that's running the session architecture user, etc And where that's running from So if you wanted to if it were kind of an unstable connection or you wanted to move to something else You could use the migrate command migrates pretty awesome because you could migrate into another process Your interpreter session in memory could move and pull into something else If you want to use tack n that'll let you specify a better one At least enter it by the name rather than just the process id because sometimes running ps and trying to track it down can be a little annoying So I like to migrate to the capital n win log on dot exe. That's normally a safe bet That's always running and still has some pretty crazy privileges, etc so Once that's going we can say that that is completed. Oh, and there's actually asking us to migrate with migrate process id fantastic Note that that may or may not work migrating processes sometimes can be tough But it looks like ours ran successfully. So perfect. All right. Now we can do some interesting things We can go ahead and crack some information Dump the non-default user's password and crack it within our elevated interpreter shell run the command hash dump And that will dump all the passwords of the users on the machine as long as we have the correct privileges to do So so we could go ahead and run a hash dump And you can see that there is another user john in here j on And we did see that earlier when we were looking at some of our nmap scan results So looks like that is the answer there. What is the name of that user? Copy this password hash to a file and research how to crack it. What is the cracked password? Okay And we have his hash here. So I might Actually, just see if I can crack that with something online just to make a quick easy one the crack station I think can handle Some ntlm stuff. So let's go ahead and paste that in I am not a robot and it doesn't know what it is. So let me remove just that preceding section because that might be The empty sting. Okay. Yeah, so alq fna 22 is apparently his password great We can go ahead and submit that And we should probably be documenting everything that we've been doing but hey Hey john's password And that is with no h in john's name. Okay So now that we've got that cracking section done. We want to find flags. There are three flags planted on this machine Uh flag one. Okay. It doesn't really give us any information. Um Check out the hints. Can you see it? I don't know what that means Oh might be actually referring to the c drive because if we check out our current working director We are in c windows system 32, but if we move all the way back to c You can check out the directory listing and we do have a flag one dot text file there Okay, so we could cat that out flag one dot text And flag is access the machine. Okay. Fantastic. It looks like it just wanted us to submit the Inside part in between the curly braces. So let's submit that And then flag two Arata windows really doesn't like the location of this flag and can occasionally delete it and might be necessary in some case Determinate to restore the machine. Oh jeez and rerun the exploit to find this flag. This is relatively rare. However, it can happen Okay, I wrote this I wish I wrote down where I kept my password. Luckily, it's still stored here in windows Okay, so this might be stored in the sam configuration, right? So, um Windows sam Location we could google that that is kind of the path that has all of the Hashes that are stored for usernames and for users and on the system It's in c windows system 32 config. So we can see if that exists see Windows system 32 Config i'm using forward slash is here. So I don't have to use a w w or excuse me the double Backslash escape because you need to in that we're working in ruby. So you need to supply two backslashes If you actually end up using a backslash dir let's see what we got. Oh, there's a flag two file here. Fantastic Nope, it's not really there Wait, did I type that right flag two flag two dot text There we go sam database elevated access cool Thank goodness. Then when I did this originally that flag was not there and I was like, how am I going to show this in a video? So cool that one's good And flag three. Okay, so let me showcase something that I actually kind of wanted to um in this video for this section because interpreter has something awesome called search where you can search for files here And if you don't know how to use it, you can use search tack h You can search inside a directory recursively or for a specific pattern You typically use tack f and you can use the wild card or the asterisk to glob things By default, I think it starts Either from where you are or from where you're going but and more it can do the entire file system So we'll search for things that start with flag right or flag dot text And since I have a number in there, we could use flag Asterisk dot text maybe so let's do that. Let's use search tack f flag star dot text And maybe this will track down where we found that flag one and that flag two and it could tell us where flag three is So this might take a little bit of time I'm going to let this run and we'll see if it actually gets new results Or if it's going to use from our current directory or not It probably has to cache like just about everything. So maybe this will take some time Okay, so it looks like it found those flags there It found flag one right where we found it earlier looks like it also found flag two right where we were And it found flag three in the documents of that john user So we probably could track that down if we did our own enumeration Manually looking for seeing hey, what's in this user's directory? What stuff does I have etc etc? But there is flag three So we could go ahead and try and cat that out and I'll just show you that quick Issue where we are not going to be able to find that file because we're using backslashes So we'll need to specify two backslashes in order to escape them and actually be able to read that out So flag admin documents can be valuable. We can go ahead and grab that paste it in here And with that we have completed everything in the room and it says congratulations. We did it You completed that run. So that's that You could also and I found this kind of interesting earlier when my flag two didn't spawn for me when I did this originally I would search and I tried to look for things that didn't have that dot txt extension And eventually I was able to find something that was an lnk file or like a shortcut And that was pretty cool because looking at that specific file It would actually tell me hey, this is the path. This is the location for that flag number two So even without using that search function and flag two not spawning when I did this originally then I could still know Okay, that's where that flag location actually is without looking at the hint without I don't know looking at write ups, etc Etc. So I hope those are some good nuggets. I hope those are some good tidbits for you Once this returns, I'll show you that technique Okay, there we go. Now we got our results back. We saw the flag one text itself two three text itself, etc But we were able to find these lnk files Which are acting like small shortcuts for us So this flag this file did stay intact when I Previously did this and that flag two file hadn't spawned for me So what I had done and I'll show you this is just simply cat this out and type this out Again, if I copy and paste I need to throw in these escaped backslashes Use a pair of them here and now you'll see a lot of nonsense, right? Because a lot of this isn't printable characters It's kind of like a compiled binary not a compiled file, right? But it's using some raw bytes that aren't printable and we could see oh this is the current path Windows system 32 config flag two dot text and that is where that would actually be stored Even if that flag hadn't spawned so kind of cool good trick I hope that search tack f syntax can be handy for you inside interpreter And maybe you hadn't heard of that before I hope that's uh what we're doing here what we're learning for this video So that's that that is the blue machine from try hack me Sorry for kind of the bumps in the video editing on this I I needed to redo this a little bit of time and then someone started like mowing their lawn outside And it was just awful. I rage quit a little bit But thank you guys for watching I really recommend if you're playing a ctf or you're doing some cheesy pen test video game Not a video game Just a hack quest competition a king of the hill event I don't know what you're doing But if you see a windows machine if it looks kind of old if it has got if it's got 445 open if smb is open listening Maybe it's smb v1. It's worth the try check that Auxiliary script determine if it's vulnerable and then fire away for a tunnel blue It's a quick and easy win and that's pretty awesome. So thank you guys so much for watching I really hope you enjoyed this video if you did please do press that like button if you didn't like the video I don't know what to say All right. Thank you guys. I appreciate it Like comment subscribe the youtube algorithm thing. See you on discord twitter facebook linkedin instagram all those Internet things. Bye. I love you. I'll see you in the next video