Hack The Box: Blue Walkthrough



@18 Dec 2019


The game cannot be completed without the support of our friends of CTF Playgroup Hong Kong & Macau        


Penetrating Methodology:

Service Scanning

Enumeration & Exploitation

Getting Less Privilege Shell

Captured the flag


Target machine:

Attacking (Hacker) machine:

Hacking Process Part 0 – Service Scanning

The target machine IP is Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap -p-

0.2) Details Analysis

nmap -sV -p 135,139,445,49152 -A -oN nmap-htb-blue-detail.txt


135/tcp   open  msrpc        Microsoft Windows RPC

139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

49152/tcp open  unknown

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: specialized|WAP|phone

Running: iPXE 1.X, Linux 2.4.X|2.6.X, Sony Ericsson embedded

OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz

OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone

Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:

|   2.10:

|_    Message signing enabled but not required

|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 139/tcp)


1   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 163.69 seconds

Enumeration Strategy

  1. Checking vulnerability for Window 7 on port 135, 139 and 445

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

nmap --script vuln -p 135,139,445

Three smb vulnerabilities were identified

  1. MS17-010
  2. MS10-061
  3. MS10-054

Hacking Process Part 2 – Exploitation

2.1) Using Metasploit Windows on SMB MS17-010

Searching the MS17-010

Using the ms17-010-psexec

This payload does not work on this machine.

Try another payload ms17_010_eternablue (As the machine name is Blue)

It can be exploited successfully and get the windows access

Searching the target file “User.txt” and get the key

Searching the target file “root.txt” and get the key

Reference Link

Guide to SMB Enumeration