By Archit VatsOn

RECONNAISSANCE

From a reconnaissance point of view there isn’t much to do excepting noting down the IP address of the machine. You can also download this room as a virtual disk file and run it upon an instance of VirtualBox or VMware. Another thing that you must be mindful of is that the machine takes some time to boot so try pinging it before moving on with a nmap scan.

SCANNING AND ENUMERATION

I went ahead with a aggressive scan while also utiltizing the nmap’s scripting engine to fire up the scripts in vuln category. The command being nmap -n -Pn -T5 -A –script=vuln <IP_Address> wherein the arugments are

  • -n: To turn off DNS resolution
  • -Pn: To not ping the IP address and directly go ahead with scanning it as I knew if was alive
  • -T5: To increase the timing speed to maximum
  • -A: To perform an aggressive scan which is a combination of custom scripts, OS fingerprinting and service detection of the ports
  • –script=vuln: This is a group of nmap scripts which are used to scan the target for potential vulnerabilities

This essentially provides us with the answer for Task 1:

1. Scan the machine – Done
2. How many ports are open with a port number under 1000? – 3 which are 135 (msrpc), 139 (netbios-ssn) and 445 (microsoft-ds)
3. What is this machine vulnerable to? – ms17-010 which is conveniently provided to us under the heading of vulnerable. If you google about this vulnerability you’ll come up with its name which is eternalblue hence the name of this machine.

EXPLOITATION

Since we know what the vulnerability is, the next step is to exploit it with metasploit. Use the search command to look for modules which could help us in leveraging it to gain a shell on the system.

We can use the first exploit here named exploit/windows/smb/ms17_010_eternalblue. Use it and execute the show options command to take a look at the fields which need to be modified. The only field which needs to be filled is RHOST which takes the IP address of the machine. Before running this module we need to manually define the payload for it and tryhackme suggests a simple command shell  for it which can be accessed with the module named windows/x64/shell/reverse_tcp. However a better option would be to use a more capable shell program such as meterpreter which can be used with the following module windows/x64/meterpreter/reverse_tcp.

So once you’ve selected your payload of choice its time to run the exploit, sit back and watch the magic. At this point we have also completed our Task 2:

  1. Start Metasploit – done with the command msfconsole
  2. Find the exploitation code we will run against the machine – exploit/windows/smb/ms17_010 which was discovered with the help of search command
  3. Show options and set the one required value – RHOSTS was the only one that needed to be filled
  4. With that done, run the exploit! – done with the run command
  5. Confirm that the exploit has run correctly – done when we get back our shell

POST EXPLOITATION

Now at this point you would either get back a windows shell or a meterpreter shell based upon your chosen payload. If you had chosen meterpreter then you can skip the following steps however if you had chosen the windows shell we’ll have to upgrade it to meterpreter to gain some added functionality.
In order to do that we’ll have to select a specific post exploitation module which is to be accessed from the msf6 shell. To get back to it you can either execute the “background” command or press Ctrl+Z. Now search for the module with the name post/multi/manage/shell_to_meterpreter and use it. Now if you execute the show options command you’ll realize that you need to fill the sessions field. For this you need to know your session number which can be queried with the sessions -i option. Fill the sessions field accordingly and run it. To switch back to your exploit you can use sessions -i <session_number> command.
PRIVILEGE ESCALATION
To check your privileges you can use the getuid command. The next step is to escalate your privileges to the administrator for which we’ll use the command called getsystem.
From here we’ll migrate to another process to gain a stronger foothold. This is usually done so that our access remains even if the host closes our process, so we make sure to migrate to an important process such as winlogon.exe or lsass.exe which is less likely to be closed. To do this execute the ps command which will provide you with a list of processes running on the system along with there details.

Note the PID (process ID) of a process which has the user as NT AUTHORITYSYSTEM which is Windows way of saying that it is an admin process. Now you’ll use this process id to move to that process. The command for that would be migrate <process_ID>.

Task 4 has been completed

  1. If you haven’t already, background the previously gained shell – done with background or Ctrl + Z
  2. What option are we required to change? – session
  3. Set the required option, you may need to list all of the sessions to find your target here – done with sessions -i
  4. Run – done with run command
  5. Once the meterpreter shell conversion completes, select that session for use – done with sessions -i <session_id>
  6. Verify that we have escalated to NT AUTHORITYSYSTEM – done with getuid command
  7. List all of the processes running via the ‘ps’ command. Find a process that is running at NT AUTHORITYSYSTEM – done
  8. Migrate to this process – done with the command migrate <process_id>
PASSWORD CRACKING
The next step is to obtain the system’s password which would allow us to enter into it. For this we can use the hashdump command which would magically provide us with the usernames and hashed passwords. There are several ways to crack this password, an automated way is to submit them to crackstation.net, however if you love terminal like me and don’t want to leave it then we have solutions for folks like us too. You can use either hashcat or JohnTheRipper to crack them. Now when you’ll run john upon it you’ll get a message saying that the hashes are in format NT and LM while it defaults to LM and is unable to crack them. Therefore you’ll supply it the format as NT along with a dictionary as rockyou.txt as shown below.

This marks the completion of Task 4

  1. What is the name of the non-default user? – Jon
  2. What is the cracked password? – alqfna22
FINDING FLAGS
In this particular question we know that the format of the flags is flag followed by a number followed by .txt, for e.g. flag1.txt, flag2.txt, etc. We can leverage this and find all of the flags in a single go.
1. Open command prompt and cd to C drive. Then use the following command to search the whole filesystem and look for the flags: dir /S flag*
2. Another approach that can be used is to create a file containing the fingerprint of the whole filesystem. This file can be saved as txt and searched through using notepad’s find function. The command for it would be tree /d > C:/Users/Jon/file.txt

3. The slowest method is to search for it using windows search

Task 5 is completed
1. Flag1.txt – flag{access_the_machine} found in the root directory of C:
2. Flag2.txt – flag{sam_database_elevated_access} found in C:/Windows/System32/config
3. Flag3.txt – flag{admin_documents_can_be_valuable} found in C:/Users/Jon/My Documents