Exploring Eternal Blue! HTB Blue CTF

Exploring Eternal Blue!

A writeup by Behind Security on a challenge named Blue from HackTheBox. You can see a informative dashboard below.


Challenge that covers enumeration and exploitation of a windows machine running a vulnerable SMB server.

HackTheBox Logo


Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Behind Security main logo, cropped.


Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Service Enumeration

Command: nmap -sC -sV -T4 -v


  • -sC: This option tells Nmap to run a script scan. In Nmap, scripts are small programs that automate various tasks, such as vulnerability detection, service version detection, or default script scanning. The -sC option specifically runs the default set of scripts against the target. Those scripts were able to identify that the SMB service version running on the machine is likely outdated, as the operating system is Windows 7.

  • -sV: This option enables version detection for services running on the target. Nmap will try to identify the versions of the services (like web servers, database servers, etc.) running on open ports. Knowing the service versions can help in identifying potential vulnerabilities associated with specific versions.

  • -T4: This option sets the timing template for the scan. The timing template determines the speed of the scan, ranging from 0 (paranoid) to 5 (insane). In this case, -T4 sets the scan to use aggressive timing, making it faster but potentially more noticeable and noisier on the network.

  • This is the target IP address that Nmap will scan. In this example, the scan will be performed against the system with the IP address

  • -v: This option enables verbose output, providing more detailed information about the scan as it progresses. It allows the user to see what Nmap is doing during the scan, what ports are being scanned, and the results obtained.

The nmap scan output indicates that TCP ports 135, 139, 445, 49152, 49153, 49154, 49155, 49156, 49157 are open,.

SMB Enumeration

After conducting a thorough investigation, no publicly available information was found on the SMB service.

To gain deeper insights, Behind Security conducted an Nmap scan, utilizing specific vulnerability detection scripts from NSE (Nmap Scripting Engine). The following command was used: nmap -sV -T4 --script=vuln -p135,139,445 -v, and the detailed output is provided below.

In summary, the scan found a significant vulnerability (ms17-010 eternal blue) that could allow attackers to take control of the system remotely.

Initial Access – Eternal Blue RCE (ms17-010)

Vulnerability Explanation: The Microsoft Server Message Block 1.0 (SMBv1) server is susceptible to remote code execution vulnerabilities due to the way it handles specific requests. Exploiting these vulnerabilities would grant an attacker the ability to execute code on the targeted server, potentially gaining unauthorized access or control over the system. More detailed information can be found in the Microsoft Security Bulletin

Vulnerability Fix: Microsoft has addressed this known issue with a security patch. To safeguard the system against potential attacks, it is essential to apply the fix promptly. For further details and instructions on how to implement the patch, refer to the Microsoft support page.

Severity: Critical

Steps to Reproduce the Attack: There is a publicly available exploit in Metasploit, a penetration testing tool, that can be utilized to execute the attack. Below are the steps for an attacker to perform the exploit:

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_psexec) > set RHOSTS
msf exploit(ms17_010_psexec) > show options
...show and set options...
msf exploit(ms17_010_psexec) > exploit
Result of a successful exploit

Post Exploitation

A successful exploitation (ms17-010) results in a remote attacker obtaining SYSTEM privileges on the vulnerable host (

Proof of Exploitation: REDACTED user.txt
Proof of Exploitation: REDACTED root.txt
Scroll to Top