Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Intro
Blue is a very easy Windows box made to introduce beginners to pentesting. Attackers will utilize a metasploit module for eternal blue, and learn some of the quirks of windows systems, metaslpoit, etc along the way.
This article is here to act as an answer key for UCR’s CPTC practice. I’ll drop the answers here so they can be checked if you get stuck along the way.
Recon
For this section, you need to use nmap to get some information on the box.
1
2
3
How many ports are open with a port number under 1000? 3
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067) ms17-010
The nmap command I used is nmap -sC -sV -p 1-1000 $IP -o nmap. I found the answer to the other question using google.
Gain Access
1
2
3
4
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........): exploit/windows/smb/ms17_010_eternalblue
Show options and set the one required value. What is the name of this value? (All caps for submission): RHOSTS
Something important to note here is that you MUST set the lhost to the ip address associted with your tun0 interface. To find this ip, type ip a.
Escalate
This section focuses on getting you a meterpreter session/shell (not sure what it should be called), that will give you more functionality than whatever shell you can spawn from running the exploit normally.
1
2
3
4
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected) : post/multi/manage/shell_to_meterpreter
Select this (use MODULE_PATH). Show options, what option are we required to change?: SESSION
Cracking
For this section, you utilize your meterpreter session to get the hashes of users on the system. We have to crack the password of the user Jon. Instead of using the tool I’m assuming they hinted at - John the Ripper, I looked up the hash in an online rainbow table - Crackstation, and it was there.
1
2
3
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user? - Jon
Copy this password hash to a file and research how to crack it. What is the cracked password? - alqfna22
Find the flags!
Rather than posting the flags, I’ll talk about the locations of the flags.
Flag 1
1
Flag1? This flag can be found at the system root.
Using the meterpreter session, change your directory to the root directory. This is the directory at the “top” of the filesystem.
cd /. From here, you can print out the flag. If you are using meterpreter, you can use cat flag1.txt. If you are using a DOS Shell, use type flag1.txt.
Flag 2
1
*Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
I found this one to be very misleading. I ended up googling temp file locations in Windows and going through all of those, and could not find the flag at all. Thus, I opted to use meterpreter’s search functionality.
search -f flag2.txt. This will spit out the location of the flag.
Flag 3
1
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
Ok, it looks like we’re going to have to go digging in user folders. Starting from the root directory, you can cd into the Users folder. Here you can type dir or ls (depending on if you are using meterpreter or not). Here, we can see the Jon user has a folder. cd Jon and inspect each folder. Looking at this Documents folder, we can find the third flag.