“Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused.”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Task #1
Question #1 Scan the Machine
Let’s start with an nmap scan to see what we have to work with. A few questions down it asks us what the machine is vulnerable to, so I added on the -script vuln option.
This will take a short while. Eventually you will see a report like this:
This one doesn’t require an answer, but it will help us answer the next two questions.
Question #2 How many ports are open with a port number under 1000?
For this one you simply count the ports!
Question #3 What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
For this question, scroll down to the script results:
You will see that it is vulnerable to a “Remote Code Execution vulnerability in Microsoft SMBv1 servers” (CVE-2017–0143).
Task #2
Question #1 Start Metasploit
No answer needed, let’s move on.
Question #2 Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Remember the vulnerability we found? Let’s search for it in Metasploit:
Question #3 Show options and set the one required value. What is the name of this value? (All caps for submission).
Looks like all we have left to set is the RHOSTS. This is your target IP address (the machine you deployed from the question).
Let’s set it and then show options again to double check it is correct:
Question #4 Run the exploit!
My favorite part!
Question #5 Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
If it looks like what I have above with meterpreter > at the bottom, ready for you to type in commands, that means you have a meterpreter shell, not a DOS shell.
This question (and the next few) assume you only got a DOS shell. If that’s the case for you, it would look like C:\Windows\system32>
Even though I seemed to have skipped ahead few steps, I’m still going to go through the motions so that you can see an example of how it would be done if you got a DOS shell.
CTRL + Z to put your session in the background. You can check your active sessions with the sessions command.
Task #3
Question #1 If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
You can now use Metasploit to search for what we need:
Question #2 Select this (use MODULE_PATH). Show options, what option are we required to change? (All caps for answer)
You can see that we need to set the SESSION in order to utilize this.
Question #3 Set the required option, you may need to list all of the sessions to find your target here.
If you need to view the session numbers, remember you can just type sessions like we did above. We should only have one running though.
Question #4 Run! If this doesn’t work, try completing the exploit from the previous task once more.
This failed for me, because I obviously did not need it.
Question #5 Once the meterpreter shell conversion completes, select that session for use.
You can get back to your other session like this:
If you originally had the DOS shell, it should look like mine now.
Question #6 Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
Question #7 List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
We have a huge list here:
The point is to pick a process that is running “NT AUTHORITY\SYSTEM” so we can have the same privileges as that process. We also want it to be stable. If we ended up in a browser process or something, they could easily close that and we would lose our access.
Check your PID before you even try to make the switch though, because you might already be in a decent one.
To check your PID, run this:
Question #8 Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
I was already in a good one (spoolsv.exe). This one runs the printer services, so I think I am cool to stay.
However, if you try to switch and it fails, yes, you have to start the whole thing over again to get back to this point.
Task #4
Question #1 Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Check the results for your answer!
Question #2 Copy this password hash to a file and research how to crack it. What is the cracked password?
Windows uses NTLM. It is split up like so:
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
User: Jon
Relative Identifier: 1000
LM: aad3b435b51404eeaad3b435b51404ee
NT: ffb43f0de35be4d9917ac0cc8ad57f8d
Make a file on your computer and copy/paste Jon’s hash in there. You will need to trim it down a bit so it can be analyzed by our cracker. We only actually need the NT part:
We will use Hashcat to crack it. Look through Hashcat’s mode LIST and you’ll see that NTLM is mode 1000:
Make sure you have the rockyou.txt list saved on your system before we start.
hashcat -m 1000 <hash file location> <wordlist file location>
In a few seconds we will have our password (up top after the hash).
If you’d like an easier alternative, use CrackStation.
Task #4
Question #1 Flag1? (Only submit the flag contents {CONTENTS})
Switch back over to your meterpreter shell and let’s go exploring through the file system.
A way to make this very efficient is to just use the search command. A lot of times this will easily pull up flags:
Cat the flags one by one.
Question #2 Flag2? *Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Question #3 Flag3?
So this was definitely very beginner focused. Mostly, I just wanted the badge on TryHackMe…I’m very much a completionist. Also, it was good to brush up on NTLM hash structure.
Happy Hacking ! ❤
