Blue Walkthrough – OSCP Preparation

This is our second room on TryHackMe and we’re gonna follow along with the OSCP preparation series. Let’s get started with our first machine.


Room : Blue
Target OS : Windows
Difficulty : Easy
Info : Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Services : RPC (135), SMB (139, 445)


• Getting flag1.txt, flag2.txt, flag3.txt


As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA

135/tcp   open  msrpc              Microsoft Windows RPC                                                                                                   
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                           
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)                                          
3389/tcp  open  ssl/ms-wbt-server?                                                                                                                         
| rdp-ntlm-info:                                                                                                                                           
|   Target_Name: JON-PC                                                                                                                                    
|   NetBIOS_Domain_Name: JON-PC                                                                                                                            
|   NetBIOS_Computer_Name: JON-PC                                                                                                                          
|   DNS_Domain_Name: Jon-PC                                                                                                                                
|   DNS_Computer_Name: Jon-PC                                                                                                                              
|   Product_Version: 6.1.7601                                                                                                                              
|_  System_Time: 2020-04-19T17:25:02+00:00                                                                                                                 
| ssl-cert: Subject: commonName=Jon-PC 
| Not valid before: 2020-04-18T17:22:29
|_Not valid after:  2020-10-18T17:22:29
|_ssl-date: 2020-04-19T17:25:09+00:00; 0s from scanner time.
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumerating Port 139, 445

Since we have SMB services running let’s find out if they’re vulnerable.

nmap --script vuln -p139,445 -oA nmap_smb

SMB is vulnerable and can be exploitable using MS17-010


Since we have discovered SMB is vulnerable let’s exploit it using MSFconsole.

Let’s run the exploit and get our reverse shell.

We got nt authority already!

Upgrade Shell - Meterpreter


Let’s run to get another session opened!

Now, sessions -i 2


We’re going to obtain hashes since we’re already nt authority using this module.

run post/windows/gather/hashdump

Cracking Hashes Using Hashcat

option (–username): Enable ignoring of usernames in hashfile
option (–show): Show cracked passwords only
-a (attack mode): 0
-m (hashtype): 1000
hashfile: hashes.txt
wordlist: /usr/share/wordlists/rockyou.tx

hashcat --username -a 0 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt


Password of Jon: alqfna22


We have to find flag1.txt, flag2.txt, flag3.txt

dir *flag*.txt /s


We cannot see flag2.txt let’s change our query.

dir flag* /s /p

We have to migrate our process to another ps through meterpreter to fully enjoy the nt authority system.

flag1.txt C:\flag1.txt
flag2.txt C:\Windows\System32\config\flag2.txt
flag3.txt C:\Users\Jon\Documents\flag3.txt

1 Like