Blue Room Analysis began as a practical exercise in understanding how attackers move from reconnaissance to system compromise. Rather than approaching this lab purely from an offensive perspective, I focused on understanding the attack chain, identifying the evidence generated at each stage, and considering what a defender would observe during an investigation.

Disclaimer: This analysis was performed within an authorized TryHackMe lab environment for educational and defensive learning purposes. The focus of this write-up is understanding attacker behavior, detection opportunities, and incident response considerations.

Initial Reconnaissance

The first challenge appeared before any scanning began.

The target machine did not respond to ICMP requests, meaning standard host discovery techniques could incorrectly classify the system as offline.

To compensate, I used:

nmap -Pn

This forced Nmap to assume the host was alive and proceed directly with scanning.

After performing a full TCP port scan, several services were identified:

• TCP 135 (MSRPC)
• TCP 139 (NetBIOS)
• TCP 445 (Microsoft-DS / SMB)
• TCP 3389 (Remote Desktop Protocol)

At this stage, SMB Enumeration became the primary focus.

SMB Enumeration

The presence of ports 139 and 445 strongly indicated that SMB services were accessible.

Rather than immediately searching for exploits, the next step was to validate whether the service exposed any known vulnerabilities.

Using Nmap NSE scripts, I performed SMB Enumeration and vulnerability checks against port 445.

This process identified:

MS17-010

At this point, the attack path became clear.

Understanding MS17-010

MS17-010 is a Microsoft security bulletin addressing multiple vulnerabilities in SMBv1.

Historically, MS17-010 became infamous due to EternalBlue, a remote code execution exploit later weaponized during large-scale ransomware outbreaks.

From a defender's perspective, discovering MS17-010 on an exposed SMB service represents a critical finding because exploitation can occur without valid credentials.

Exploitation

Using Metasploit, the EternalBlue module was identified and loaded.

After configuring the required target settings, the exploit successfully executed and returned a command shell.

The successful compromise demonstrated how quickly a vulnerable SMB service can transition from exposure to full system access.

Privilege Escalation

Following successful exploitation, access was upgraded to Meterpreter.

From there:

• Privileges were verified.
• Processes were enumerated.
• Process migration was performed.
• Stable execution was achieved under a SYSTEM-level process.

At this stage, administrative control over the system had effectively been obtained.

Credential Access

With elevated privileges available, password hashes were extracted using Meterpreter's hashdump capability.

A non-default user account was identified and the associated NTLM hash was recovered.

The recovered hash was then cracked offline, demonstrating how credential theft often occurs after initial compromise.

This phase reinforced an important lesson:

Attackers frequently target credentials after gaining access because credentials enable persistence and lateral movement.

Detection Opportunities

Several activities performed during this exercise would generate valuable security telemetry:

Network Indicators

• SMB scanning activity
• Excessive connections to TCP 445
• Vulnerability scanning patterns

Endpoint Indicators

• Unexpected cmd.exe execution
• Meterpreter payload activity
• Process migration behaviour
• Credential dumping attempts

Investigation Focus

A SOC analyst reviewing these events should focus on:

• New process creation
• Privilege escalation activity
• Suspicious SMB communication
• Credential access behaviour

Challenges Encountered

One challenge involved understanding Nmap output correctly.

Initially, I focused only on open ports rather than identifying which services were most relevant to the attack path.

The critical learning moment was recognising that:

139 + 445 = SMB

This immediately narrowed the investigation and ultimately led to the discovery of MS17-010.

Another challenge involved understanding Meterpreter sessions and process migration.

Rather than blindly following commands, I focused on understanding why attackers migrate into stable SYSTEM processes and how defenders might detect that behaviour.

Incident Report Notes

Executive Summary

An exposed SMB service was identified on the target host. Further SMB Enumeration revealed vulnerability MS17-010. Successful exploitation resulted in SYSTEM-level access and subsequent credential extraction.

Initial Access

• SMB Enumeration
• MS17-010 discovery

Execution

• EternalBlue exploitation
• Remote command execution

Privilege Escalation

• Meterpreter upgrade
• SYSTEM-level access obtained

Credential Access

• Hash extraction
• Offline password cracking

Recommendations

• Disable SMBv1
• Apply MS17-010 security updates
• Restrict SMB exposure
• Monitor credential dumping behaviour
• Enable enhanced endpoint logging

Final Thoughts

This Blue Room Analysis demonstrated how SMB Enumeration and MS17-010 exploitation fit within a larger attack chain.

More importantly, it highlighted the value of viewing offensive activity through a defensive lens. Every step of the compromise generated evidence that could be leveraged for detection, investigation, and response.

That perspective will become increasingly valuable when analysing Sysmon telemetry and building detection logic.

Continue to the next attacker-like lab write-ups: Icecast Exploitation, Credential Theft & Detection

Visit my everyday Cyber Playground