Hack The Box: Blue




Difficulty: Eazy

Machine Creator: ch4p

Tools Used: NMAP python smbclient msfvenom metasploit handler

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with a quick NMAP scan to discover open ports and services.

nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.40

The quick scan presents us with multiple ports lets perform some scans against SMB port 445 with all the “smb-vuln” NMAP scripts.

ls /usr/share/nmap/scripts/ | grep “smb-vuln” nmap -A -vv –script=smb-vuln-conficker,smb-vuln-cve2009- 3103,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010 -p445 10.10.10.40

Exploit Development

While there is a Metasploit module for eternal blue, let’s do this the manual way. Searching on Exploit-DB there is a python script for this exploit.

| https://www.exploit-db.com/exploits/42315/


https://raw.githubusercontent.com/worawit/MS17- 010/master/mysmb.py

Before we can perform this exploit, we need to discover open SMB shares on this machine.


 vi /etc/hosts

smbclient -L \\HARIS-PC -N

We were able to find open SMB shares, and we need to verify that we have access to the shares. We can use smbclient to connect leaving the password blank.

smbclient \\\\haris-pc\\Users

Payload Generation


Exploit Modification



Handler Setup


Exploitation



User.txt and Root.txt


Post Exploitation


reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f