Search
[
Write
](https://medium.com/new-story?source=---two_column_layout_nav---------------------------------- )
[
](https://medium.com/me/notifications?source=---two_column_layout_nav---------------------------------- )
TryHackMe: Blue CTF Writeup [
](https://dollarboysushil.medium.com/?source=post_page-----6eb0fe0e26bf-------------------------------- )
dollarboysushil
5 min read
·
Just now
[
](https://medium.com/plans?dimension=post_audio_button&postId=6eb0fe0e26bf&source=upgrade_membership---post_audio_button---------------------------------- )
This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused.
Link to lab: https://tryhackme.com/room/blue
For any correction / query /suggestion contact onInstagram dollarboysushil Twitter (X) dollarboysushil Youtube dollarboysushil
Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)
nmap -sC -sV {IP} to scan for the ports sunning in the machine.-sC runs default scripts-sV runs version detections.-oN flag to output the result in a file
nmap result.
How many ports are open with a port number under 1000?
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08–067)
Ans: ms17–010 .
Searching Windows 7 Professional 7601 Service Pack 1 microsoft-ds on google shows that the machine is vulnerable to iternalblue or ms17–010
Start Metasploit
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/……..)
Ans : exploit/windows/smb/ms17_010_eternalblue
Run metsploit msfconsolesearch eternal blueexploit/windows/smb/ms17_010_eternalblue
Show options and set the one required value. What is the name of this value? (All caps for submission)
Ans: RHOSTS
use cmd show options to list all the available options for the selected modules. And we can see the only empty required field is RHOSTS which is the required answer
Then set the RHOSTS using set RHOSTS {IP} .
RHOST refers to the IP address of the target host
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
No answer needed.
With that done, run the exploit!
No answer needed.run to run the exploit
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
No answer needed
We got shell
If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
Ans: post/multi/manage/shell_to_meterpreter
Background the shell using CTRL + Z
Select this (use MODULE_PATH). Show options, what option are we required to change?
Ans : Session
Set the required option, you may need to list all of the sessions to find your target here.
No answer needed
Then run the exploit.
If this doesn’t work, try completing the exploit from the previous task once more.
Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
Ans : Jon
Copy this password hash to a file and research how to crack it. What is the cracked password?
Ans: alqfma22
Flag1? This flag can be found at the system root.
Ans: bored to type……
enter cmd shell
Flag2? This flag can be found at the location where passwords are stored within Windows.
Ans: bored to type……
Flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.
Ans: bored to type……
For this ; go to C: and search for file with name flag with command dir /s flag*.txt
For any correction / query /suggestion contact onInstagram dollarboysushil Twitter (X) dollarboysushil Youtube dollarboysushil
[
Tryhackme Walkthrough
](https://medium.com/tag/tryhackme-walkthrough?source=post_page-----6eb0fe0e26bf---------------tryhackme_walkthrough----------------- )
[
Iternal Blue
](https://medium.com/tag/iternal-blue?source=post_page-----6eb0fe0e26bf---------------iternal_blue----------------- )
[
Oscp
](https://medium.com/tag/oscp?source=post_page-----6eb0fe0e26bf---------------oscp----------------- )
[
Cybersecurity
](https://medium.com/tag/cybersecurity?source=post_page-----6eb0fe0e26bf---------------cybersecurity----------------- )
[
Ethical Hacking
](https://medium.com/tag/ethical-hacking?source=post_page-----6eb0fe0e26bf---------------ethical_hacking----------------- )
[
](https://dollarboysushil.medium.com/?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Written by dollarboysushil ](https://dollarboysushil.medium.com/?source=post_page-----6eb0fe0e26bf-------------------------------- )
6 Followers
@dollarboysushil on Twitter , Instagram , Github , Linkedin
[
Edit profile
](https://medium.com/me/settings/account?source=post_page-----6eb0fe0e26bf--------------------------------#profileInformation )
More from dollarboysushil [
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-9-brute-forcing-a-stay-logged-in-cookie-dda91125f5f2?source=author_recirc-----6eb0fe0e26bf----0---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----0---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
dollarboysushil
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----0---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
Authentication Vulnerabilities- Lab #9 Brute-forcing a stay-logged-in cookie
For any correction / query /suggestion contact on Instagram dollarboysushil Twitter (X) dollarboysushil Youtube dollarboysushil
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-9-brute-forcing-a-stay-logged-in-cookie-dda91125f5f2?source=author_recirc-----6eb0fe0e26bf----0---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
4 min read·Nov 14
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-9-brute-forcing-a-stay-logged-in-cookie-dda91125f5f2?source=author_recirc-----6eb0fe0e26bf----0---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
1
[
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-3-password-reset-broken-logic-95bc62a7b92a?source=author_recirc-----6eb0fe0e26bf----1---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----1---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
dollarboysushil
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----1---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
Authentication Vulnerabilities- Lab #3 Password reset broken logic For any correction / query /suggestion contact on Twitter(X) dollarboysushil My social medial handle Instagram dollarboysushil Twitter (X)… ](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-3-password-reset-broken-logic-95bc62a7b92a?source=author_recirc-----6eb0fe0e26bf----1---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
3 min read·Nov 10
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-3-password-reset-broken-logic-95bc62a7b92a?source=author_recirc-----6eb0fe0e26bf----1---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
3
[
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-2-2fa-simple-bypass-6bd390cf92bc?source=author_recirc-----6eb0fe0e26bf----2---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----2---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
dollarboysushil
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----2---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
Authentication Vulnerabilities- Lab #2 2FA simple bypass For any correction / query /suggestion contact on Twitter(X) dollarboysushil My social medial handle Instagram dollarboysushil Twitter (X)… ](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-2-2fa-simple-bypass-6bd390cf92bc?source=author_recirc-----6eb0fe0e26bf----2---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
3 min read·Nov 10
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-2-2fa-simple-bypass-6bd390cf92bc?source=author_recirc-----6eb0fe0e26bf----2---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
3
[
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-1-username-enumeration-via-different-responses-7a2562356741?source=author_recirc-----6eb0fe0e26bf----3---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----3---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
dollarboysushil
](https://dollarboysushil.medium.com/?source=author_recirc-----6eb0fe0e26bf----3---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
Authentication Vulnerabilities- Lab #1 Username enumeration via different responses For any correction / query /suggestion contact on Twitter(X) dollarboysushil My social medial handle Instagram dollarboysushil Twitter (X)… ](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-1-username-enumeration-via-different-responses-7a2562356741?source=author_recirc-----6eb0fe0e26bf----3---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
[
3 min read·Nov 10
](https://dollarboysushil.medium.com/authentication-vulnerabilities-lab-1-username-enumeration-via-different-responses-7a2562356741?source=author_recirc-----6eb0fe0e26bf----3---------------------c84f93eb_981d_4652_a724_4069734a11c9------- )
3
[
See all from dollarboysushil
](https://dollarboysushil.medium.com/?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
](https://medium.com/@tr1n1ty8/tryhackme-probe-walkthrough-073531c6954f?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://medium.com/@tr1n1ty8?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
Trnty
](https://medium.com/@tr1n1ty8?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
TryHackMe | Probe Walkthrough Use your baseline scanning skills to enumerate a secure network. ](https://medium.com/@tr1n1ty8/tryhackme-probe-walkthrough-073531c6954f?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
·3 min read·Nov 12
](https://medium.com/@tr1n1ty8/tryhackme-probe-walkthrough-073531c6954f?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
14
[
](https://medium.com/@sharibbahmadd/tryhackme-walkthrough-dreaming-8d9c026ca7ee?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://medium.com/@sharibbahmadd?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
Sharib
](https://medium.com/@sharibbahmadd?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
TryHackMe Walkthrough: Dreaming ](https://medium.com/@sharibbahmadd/tryhackme-walkthrough-dreaming-8d9c026ca7ee?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
6 min read·5 days ago
](https://medium.com/@sharibbahmadd/tryhackme-walkthrough-dreaming-8d9c026ca7ee?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
1
[
510 stories·463 saves
](https://medium.com/@MediumStaff/list/staff-picks-c7bc6e1ee00f?source=read_next_recirc-----6eb0fe0e26bf-------------------------------- )
[
Stories to Help You Level-Up at Work 19 stories·316 saves
](https://medium.com/@MediumStaff/list/stories-to-help-you-levelup-at-work-faca18b0622f?source=read_next_recirc-----6eb0fe0e26bf-------------------------------- )
[
20 stories·930 saves
](https://medium.com/@MediumForTeams/list/selfimprovement-101-3c62b6cb0526?source=read_next_recirc-----6eb0fe0e26bf-------------------------------- )
[
20 stories·848 saves
](https://medium.com/@MediumForTeams/list/productivity-101-f09f1aaf38cd?source=read_next_recirc-----6eb0fe0e26bf-------------------------------- )
[
](https://medium.com/@abhishek.rk96/tryhackme-recovering-active-directory-writeup-ca4ae916a159?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://medium.com/@abhishek.rk96?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
DefenderFela
](https://medium.com/@abhishek.rk96?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
TryHackMe | Recovering Active Directory WriteUp ](https://medium.com/@abhishek.rk96/tryhackme-recovering-active-directory-writeup-ca4ae916a159?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
3 min read·Nov 17
](https://medium.com/@abhishek.rk96/tryhackme-recovering-active-directory-writeup-ca4ae916a159?source=read_next_recirc-----6eb0fe0e26bf----0---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
11
[
](https://medium.com/@nachoriva84/codify-easy-ctf-hackthebox-466a012c59ce?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://medium.com/@nachoriva84?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
cyx
](https://medium.com/@nachoriva84?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
Codify (Easy) CTF — HackTheBox From the NMAP scan, ports 80, 22 and 3000 were discoverable. So I proceeded to go to the website ](https://medium.com/@nachoriva84/codify-easy-ctf-hackthebox-466a012c59ce?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
3 min read·Nov 6
](https://medium.com/@nachoriva84/codify-easy-ctf-hackthebox-466a012c59ce?source=read_next_recirc-----6eb0fe0e26bf----1---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
1
[
](https://medium.com/@sselvakumar2407/htb-writeup-codify-7c9b3c0dfef5?source=read_next_recirc-----6eb0fe0e26bf----2---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://medium.com/@sselvakumar2407?source=read_next_recirc-----6eb0fe0e26bf----2---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
Selvakumar
](https://medium.com/@sselvakumar2407?source=read_next_recirc-----6eb0fe0e26bf----2---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
Hello Hackers, In this blog, will see about one of the easy boxes in HTB “Codify”. ](https://medium.com/@sselvakumar2407/htb-writeup-codify-7c9b3c0dfef5?source=read_next_recirc-----6eb0fe0e26bf----2---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
4 min read·Nov 13
](https://medium.com/@sselvakumar2407/htb-writeup-codify-7c9b3c0dfef5?source=read_next_recirc-----6eb0fe0e26bf----2---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://homosapienimo.medium.com/how-i-was-able-to-get-account-takeover-via-idor-form-jwt-08f3317b938a?source=read_next_recirc-----6eb0fe0e26bf----3---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
](https://homosapienimo.medium.com/?source=read_next_recirc-----6eb0fe0e26bf----3---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
Homo Sapiens
](https://homosapienimo.medium.com/?source=read_next_recirc-----6eb0fe0e26bf----3---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
How I was able to get account takeover via IDOR form JWT Hello guys, today I’m gonna explain how I got IDOR and exploit it to make account takeover. ](https://homosapienimo.medium.com/how-i-was-able-to-get-account-takeover-via-idor-form-jwt-08f3317b938a?source=read_next_recirc-----6eb0fe0e26bf----3---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
8 min read·Nov 17
](https://homosapienimo.medium.com/how-i-was-able-to-get-account-takeover-via-idor-form-jwt-08f3317b938a?source=read_next_recirc-----6eb0fe0e26bf----3---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
194
[
1
](https://homosapienimo.medium.com/how-i-was-able-to-get-account-takeover-via-idor-form-jwt-08f3317b938a?responsesOpen=true&sortBy=REVERSE_CHRON&source=read_next_recirc-----6eb0fe0e26bf----3---------------------ab95a2c3_0408_4576_8c38_d56c89c02fb0------- )
[
See more recommendations
](https://medium.com/?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Help
](https://help.medium.com/hc/en-us?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Status
](https://medium.statuspage.io/?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
About
](https://medium.com/about?autoplay=1&source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Careers
](https://medium.com/jobs-at-medium/work-at-medium-959d1a85284e?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Blog
](https://blog.medium.com/?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Privacy
](https://policy.medium.com/medium-privacy-policy-f03bf92035c9?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Terms
](https://policy.medium.com/medium-terms-of-service-9db0094a1e0f?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Text to speech
](https://speechify.com/medium?source=post_page-----6eb0fe0e26bf-------------------------------- )
[
Teams
](https://medium.com/business?source=post_page-----6eb0fe0e26bf-------------------------------- )
