{"id":280,"date":"2023-07-25T02:40:38","date_gmt":"2023-07-25T02:40:38","guid":{"rendered":"https:\/\/infosecjake.net\/?p=280"},"modified":"2023-08-03T15:05:13","modified_gmt":"2023-08-03T15:05:13","slug":"tryhackme-relevant-walkthrough","status":"publish","type":"post","link":"https:\/\/infosecjake.net\/?p=280","title":{"rendered":"Tryhackme – Relevant CTF Walkthrough"},"content":{"rendered":"\n

First off, I’d like to say that I love how this CTF challenge is modeled off a real penetration test. The creator gives you a scope, rules of engagement, and a short background. I would encourage you to practice taking screenshots and documenting what you have done throughout this CTF. It is great practice for creating a penetration test report. Let’s start on Tryhackme Relevant!<\/p>\n\n\n\n

First, let’s start up the attack box after connecting to VPN with our Kali VM.<\/p>\n\n\n\n

\"Starting<\/figure>\n\n\n\n

We start our machine, and give it a few minutes to fully boot.

Next, lets scan the machine to see what we can find.

I\u2019ve done a simple nmap -sV -A on the IP of the machine. The switches -sV are for service detection, and -A are for OS detection.<\/p>\n\n\n\n

\"nmap<\/figure>\n\n\n\n
\"initial<\/figure>\n\n\n\n

We have several ports of interest open on the machine. We also can note that this is a Windows Server, 2008\/12\/16 based on the guesses from nmap. However, we can determine that for sure later. I have highlighted the open ports, including an HTTP service, RDP, and SMB.<\/p>\n\n\n\n

Let\u2019s start by looking at the web page hosted by the server.<\/p>\n\n\n\n

\"IIS<\/figure>\n\n\n\n

Basic IIS installation, but we should run a directory traversal tool on and possibly Nikto to see what might be here. While doing those, I\u2019m going to run another nmap scan on the SMB service, as shown below.<\/p>\n\n\n\n

\"SMB<\/figure>\n\n\n\n

As shown, this one appears to be vulnerable to MS17-010. You may already know this one as it was very widespread and made news around the world. This is Eternal Blue, and is a well-known vulnerability with SMB. Let\u2019s try to exploit it.

As noted in the description of the machine, Metasploit is not required for this machine. However, Metasploit does have an exploit for MS17-010. So, lets use it.

Type msfconsole in a terminal to load up Metasploit. Next, we are going to type \u2018Search MS17-010\u2019 to find the module we need.<\/p>\n\n\n\n

\"msf<\/figure>\n\n\n\n

We are going to use option 0, so type \u2018use 0\u2019.

Now, type \u2018options\u2019 to see what all options we need to set for this exploit.<\/p>\n\n\n\n

\"MSF<\/figure>\n\n\n\n

Highlighted are the RHOSTS, which is the victim and the LHOST which is my machine. I need to set both of those IP addresses accordingly.

You can set options with a command such as \u2018set RHOST 192.168.0.1\u2019 and that will set the ip address for RHOSTS to 192.168.0.1. However, that should be the IP of your victim machine.<\/p>\n\n\n\n

With both IP\u2019s set, lets run the exploit.<\/p>\n\n\n\n

\"Module<\/figure>\n\n\n\n

No dice. I tried this a few times, just to be sure. Sometimes the exploit may fail, so it\u2019s a good idea to try it a couple of times just to be sure.<\/p>\n\n\n\n

Since that failed, let\u2019s take a closer look at the SMB service running on the machine.<\/p>\n\n\n\n

However, our Nikto and dirb scans have finished. Let\u2019s look at those.<\/p>\n\n\n\n

\"Nikto<\/figure>\n\n\n\n

Nothing spectacular from either scans. Bummer.<\/p>\n\n\n\n

(FYI, I had started a hydra brute force on the RDP for this box and this apparently cause the box to stop responding. At this point, I had to stop & restart the box to continue. By the way, crashing a machine would be frowned upon in a real penetration test. Woops. )<\/p>\n\n\n\n

After restarting the box, we run the smbclient -L on the machine to see what shares it has.<\/p>\n\n\n\n

\"smbclient<\/figure>\n\n\n\n

Interesting, we have a share called nt4wrksv. Let\u2019s connect to it and see what\u2019s on there.<\/p>\n\n\n\n

\"Downloading<\/figure>\n\n\n\n

We connected to the share, found a passwords.txt file and downloaded it.<\/p>\n\n\n\n

Looking at the passwords file, we see they are encoded.<\/p>\n\n\n\n

\"Encoded<\/figure>\n\n\n\n

I believe that the first one is Base64, based on the == at the end. So, let\u2019s go decode it.<\/p>\n\n\n\n

I usually go to this site, https:\/\/www.base64decode.org\/<\/a>, to decode Base64. It\u2019s fast and free. You could decode them through the command line, however, this is just faster in my opinion.<\/p>\n\n\n\n

Anyways, let\u2019s decode.<\/p>\n\n\n\n

\"Decoding<\/figure>\n\n\n\n

We have a username and password. Let\u2019s try the other.<\/p>\n\n\n\n

\"decoded<\/figure>\n\n\n\n

Again, another username and password.<\/p>\n\n\n\n

Since we now have credentials that we can use, let\u2019s use Metasploit again. This time, a different module.<\/p>\n\n\n\n

\"ms17<\/figure>\n\n\n\n

With our options set and the SMBUser and SMBPass fields filled in with our first username and password. We execute the attack. This took 3 times of running it for it to create a meterpreter session.<\/p>\n\n\n\n

\"Gained<\/figure>\n\n\n\n

We now have access to the box.<\/p>\n\n\n\n

Let\u2019s find the user flag.<\/p>\n\n\n\n

\"user<\/figure>\n\n\n\n
\"user<\/figure>\n\n\n\n

Now, let\u2019s see if we can get the root flag. I\u2019m going to check the same place, except in Administrator\u2019s Desktop.<\/p>\n\n\n\n

\"root<\/figure>\n\n\n\n

There we go. Both flags with simple SMB access to the machine.<\/p>\n\n\n\n

Make sure you copy and paste your flags into the sections within TryHackMe and submit your answers. We are done!<\/p>\n\n\n\n

Hope you enjoyed the walkthrough!<\/p>\n","protected":false},"excerpt":{"rendered":"

First off, I’d like to say that I love how this CTF challenge is modeled off a real penetration test.<\/p>\n

Continue readingTryhackme – Relevant CTF Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":303,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[33,8,7,34],"class_list":["post-280","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-challenge-walkthroughs","tag-ctf","tag-cyber-security","tag-infosec","tag-walkthrough"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/07\/Relevant.png","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=280"}],"version-history":[{"count":4,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions"}],"predecessor-version":[{"id":321,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/280\/revisions\/321"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/media\/303"}],"wp:attachment":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}