Page cover

Blue

Blue - TryhackMe

Overview

The “Blue” machine is designed to illustrate the critical impact of the MS17-010 (EternalBlue) vulnerability in unpatched SMBv1 services. During this exercise, the tester discovers and exploits the flaw to gain remote code execution, transitions into a stable Meterpreter session, escalates privileges to SYSTEM, and harvests credentials to fully compromise the host. This scenario mirrors a realistic enterprise attack chain where legacy protocols remain exposed.

Key Objectives

  • Identify exposed services and vulnerabilities: Perform network and service enumeration (e.g., Nmap with version and vulnerability scripts) to detect SMBv1.

  • Exploit MS17-010 (EternalBlue): Leverage Metasploit’s exploit/windows/smb/ms17_010_eternalblue to achieve initial remote code execution.

  • Establish a reliable post-exploitation foothold: Convert the initial shell into a Meterpreter session for enhanced control and stability.

  • Escalate privileges to SYSTEM: Migrate the Meterpreter process into a SYSTEM-level service to obtain full administrative rights.

  • Harvest and crack credentials: Dump NTLM hashes using hashdump, then crack the “Jon” account password (alwfna22) to demonstrate lateral-movement potential.

  • Locate and exfiltrate proof-of-compromise artifacts: Find and read all three flags scattered across system directories to validate complete system control.

Skills Demonstrated

  • Reconnaissance & Scanning: Using Nmap with aggressive flags (-sCV -Pn) and vulnerability scripts to pinpoint SMBv1 exposure.

  • Metasploit Framework Proficiency: Crafting and executing an EternalBlue exploit module, and applying post-modules for shell conversion.

  • Post-Exploitation Techniques: Utilizing Meterpreter for process migration, privilege escalation, and interactive command execution.

  • Credential Harvesting & Cracking: Extracting NTLM hashes and applying offline cracking tools to reveal plaintext passwords.

  • Windows Attack Path Mastery: Understanding of Windows service contexts, filesystem hierarchy, and the significance of SYSTEM privileges.

  • Proof-of-Concept Validation: Systematic search and retrieval of flags to demonstrate and document each stage of compromise.

Relevance

This exercise underscores the real-world danger of unpatched Windows environments and outdated protocols like SMBv1. It reinforces best practices around timely patch management, legacy protocol deprecation, and defense-in-depth—critical controls for protecting enterprise networks. Mastery of these techniques is directly applicable to red-team assessments, penetration tests, and incident-response readiness in professional security engagements.

PreviousExecutive ReportNextWrite-up

Last updated