Blue – TryHackMe

This is a very easy box, based on eternal blue vulnerability(CVE-2017-0143).
The first thing we're gonna do is a nmap scan to see which are the open ports and services running.
The flags used in the nmap scan are:
-sS - for a syn scan
-sV -for a service version scan
-O - to identify the OS used
-T4 - the speed of scan
-open - to show only the open ports

We notice the service running on port 445 is SMB, so we can use a nmap script to verify if the service is vulnerable or not to eternalblue vulnerability.

The flags used are:
-p - to test only the port provided(in our case 445)
-script smb-vuln-ms17-010 - the nmap script to be run against our target port
The output of the scan shows us the service is vulnerable to ms17-010.
MSFConsole already has this exploit, so let's fire it up.
To search for the exploit, type in the console:
search eternalblue
I'll be using windows/smb/ms17_010_eternalblue since we know from the initial NMAP scan that the target is running windows 7. Let's configure the exploit. Type the following commands:
use windows/smb/ms17_010_eternalblue
You cand type show options/options then to see the options available.
Set the IP of the vulnerable machine with the command:
set RHOSTS IpOfTheMachine
To exploit the target just type exploit or run in the cmd.
You should have an output similar to this:
Now, press enter and you'll be spawned an OS shell. You can get a flag from the Documents folder from the user Jon.
To have more tools at our hands, we'll upgrade our os shell to a meterpreter shell. Background the session using CTRL+Z, and search for shell_to_meterpreter post module.
Use the above mentioned module, and set the session to 1. Type exploit/run to upgrade from the os shell to a meterpreter shell.
To get NT AUTHORITY\SYSTEM(privileged user/admin) we can use the meterpreter command getsystem which will try to automatically escalate privileges for us.
The other flags are in C:(flag1), and C:/Windows/System32/config where is the actual location of the SAM database.