Blue (TryHackMe) — Capture-the-Flag Writeup
https://tryhackme.com/room/blue
Room completed — reconnaissance → exploitation → post-exploitation → flags
Short summary: I spun up the Blue machine, performed targeted enumeration with Nmap (including vulnerability scripts), discovered a critical SMB vulnerability, used Metasploit to validate and obtain a Meterpreter shell, dumped hashes, cracked credentials, solved the room puzzles and captured all three flags.
Table of contents
-
Introduction
-
Goal & methodology
-
Recon & enumeration
-
Exploitation (high-level)
-
Post-exploitation & pivoting
-
Flags (what I found)
-
Lessons learned & defensive takeaways
-
Appendix — notes, resources, and suggested screenshots
1. Introduction
Blue is a beginner-friendly TryHackMe room focused on SMB/Windows exploitation and basic post-exploitation. The room walks you through identifying a vulnerable SMB service, exploiting it to get a shell, and performing simple post-exploitation tasks (like dumping hashes and cracking credentials) to retrieve the flags.
This writeup is a narrative of my run: what I did, what I found, and what I learned. I avoid providing step-by-step exploit instructions so this remains suitable for readers who want to learn the methodology and defensive lessons.
2. Goal & methodology
Primary objective: Capture three flags on the Blue box by exploiting an SMB vulnerability and carrying out post-exploit tasks.
Methodology (high level):
Boot the target machine from the TryHackMe room interface.
Reconnaissance with Nmap to identify open ports and running services; use vulnerability scripts during enumeration.
Research identified findings to confirm probable exploitability.
Use an exploit framework to validate and obtain an interactive shell (the lab prescribes a particular payload).
Move to a Meterpreter session, dump password hashes, crack them offline, and retrieve usernames/passwords for flag access.
Solve the puzzle/flags with the obtained access.
3. Recon & enumeration
I began with a focused port scan and service enumeration.
What I ran (conceptual)
A TCP port/service scan against the target IP to discover open ports.
Version detection and common NSE scripts (including vulnerability checks) to surface known issues.
A typical example of the type of command I used was an Nmap service/version scan combined with vulnerability NSE scripts. The scan reported SMB/445 as interesting and returned a vulnerability signature indicating a well-known SMB vulnerability.
Key finding
SMB service (port 445) appeared vulnerable. The scan’s vulnerability check flagged a known critical SMB vulnerability (commonly discussed in public advisories). This aligned with published CVE information, so I prioritized SMB for exploitation.
4. Exploitation (high-level)
After confirming the SMB vulnerability in enumeration and doing quick cross-checks against public advisories, I used an exploit framework to attempt to validate and gain a shell.
Important: This section avoids disclosing a step-by-step exploit. The workflow was:
-
Load an SMB-targeting exploit in a controlled exploit framework.
-
Configure required options (target IP and the lab-provided payload parameters). The lab provides a recommended payload to test with — I used that.
-
Launch the exploit and, on success, obtain an interactive session.
Result: A Meterpreter session was established, giving an interactive post-exploit environment on the target.
5. Post-exploitation & pivoting
Once I had Meterpreter, I performed basic post-exploitation tasks aligned with the room objectives.
Actions taken (high level)
Elevated the shell to an interactive Meterpreter session (what the lab expected).
Enumerated local users and system information to identify interesting accounts.
Dumped authentication material (hashes) from the system — the lab allows this for learning.
Used an offline cracking helper to convert dumped hashes into cleartext credentials.
With recovered credentials, accessed locations on the box that contained the remaining flags.
Tools referenced
Meterpreter (session management and enumeration).
A hash cracking helper/service (to practice converting NTLM/Windows hashes to plaintext).
6. Flags (what I found)
I captured the three flags the room expected. For blog purposes they are described generically:
Flag 1 (user flag): Located after initial exploitation and basic file enumeration in a user directory — typically the first proof-of-compromise.
Flag 2 (administrator flag): Obtained after dumping hashes and cracking credentials that let me reach a higher-privileged area.
Flag 3 (puzzle / final flag): Found by solving the lab’s small post-exploit puzzle and extracting the last token from a file on the machine.
Note: Do not publish actual flag values in public blog posts if you want to avoid spoilers for others. If you include them, consider adding a clear spoiler/toggle or redacting the values.
7. Lessons learned & defensive takeaways
This room is a compact study on classic SMB risk and post-exploit tradecraft. Key takeaways:
Offense side (what’s instructive)
Automated enumeration (Nmap + NSE scripts) is extremely effective in surfacing known vulnerabilities quickly.
Public CVE advisories and vendor patches are essential references when a vulnerability is indicated.
Exploit frameworks can be used for rapid validation in a controlled/lab environment — they’re invaluable for learning how vulnerabilities translate into access.
Post-exploitation steps (hash dumping, cracking) show how credentials harvested from one host can lead to lateral movement or privilege escalation.
Defense side (how to mitigate)
Patch promptly: Many high-impact SMB vulnerabilities are mitigated by vendor patches; keeping systems patched removes this entire attack class.
Network segmentation: SMB should not be openly exposed to untrusted networks — limit SMB (445) via network ACLs and firewall rules.
Credential hygiene: Use strong, unique passwords and consider credential protection technologies (e.g., LSA protection, Credential Guard).
Monitoring & EDR: Look for suspicious SMB traffic patterns, exploit indicators, and abnormal privilege-escalation behaviors.
Least privilege & privileged account protection: Limit administrative privileges and monitor for unusual access.