Blue
Blue - TryhackMe
Overview
The “Blue” machine is designed to illustrate the critical impact of the MS17-010 (EternalBlue) vulnerability in unpatched SMBv1 services. During this exercise, the tester discovers and exploits the flaw to gain remote code execution, transitions into a stable Meterpreter session, escalates privileges to SYSTEM, and harvests credentials to fully compromise the host. This scenario mirrors a realistic enterprise attack chain where legacy protocols remain exposed.
Key Objectives
Identify exposed services and vulnerabilities: Perform network and service enumeration (e.g., Nmap with version and vulnerability scripts) to detect SMBv1.
Exploit MS17-010 (EternalBlue): Leverage Metasploit’s
exploit/windows/smb/ms17_010_eternalblue
to achieve initial remote code execution.Establish a reliable post-exploitation foothold: Convert the initial shell into a Meterpreter session for enhanced control and stability.
Escalate privileges to SYSTEM: Migrate the Meterpreter process into a SYSTEM-level service to obtain full administrative rights.
Harvest and crack credentials: Dump NTLM hashes using
hashdump
, then crack the “Jon” account password (alwfna22
) to demonstrate lateral-movement potential.Locate and exfiltrate proof-of-compromise artifacts: Find and read all three flags scattered across system directories to validate complete system control.
Skills Demonstrated
Reconnaissance & Scanning: Using Nmap with aggressive flags (
-sCV -Pn
) and vulnerability scripts to pinpoint SMBv1 exposure.Metasploit Framework Proficiency: Crafting and executing an EternalBlue exploit module, and applying post-modules for shell conversion.
Post-Exploitation Techniques: Utilizing Meterpreter for process migration, privilege escalation, and interactive command execution.
Credential Harvesting & Cracking: Extracting NTLM hashes and applying offline cracking tools to reveal plaintext passwords.
Windows Attack Path Mastery: Understanding of Windows service contexts, filesystem hierarchy, and the significance of SYSTEM privileges.
Proof-of-Concept Validation: Systematic search and retrieval of flags to demonstrate and document each stage of compromise.
Relevance
This exercise underscores the real-world danger of unpatched Windows environments and outdated protocols like SMBv1. It reinforces best practices around timely patch management, legacy protocol deprecation, and defense-in-depth—critical controls for protecting enterprise networks. Mastery of these techniques is directly applicable to red-team assessments, penetration tests, and incident-response readiness in professional security engagements.
Last updated