NodeZero vs Hack-the-Box Blue

Hack the Box – Blue

NodeZero  |  August 27, 2021  |  Attack Paths

The Blue machine on Hack The Box demonstrates how legacy SMB vulnerabilities can lead to full system compromise. NodeZero exploited EternalBlue to gain system-level access and extracted Administrator and user credentials from the SAM database, highlighting the risks of unpatched Windows systems.

TL;DR

NodeZero obtained system-level privileges on Blue by exploiting the family of critical Windows SMB vulnerabilities known as EternalBlue. During post-exploitation, it acquired credentials for the Administrator and haris users by dumping the Windows Security Account Manager (SAM) database.

Timeline of Notable Events
Timeline of Notable Events

Attack Graph

This is the attack graph that represents what NodeZero did. A detailed walkthrough follows below.

Full Path Diagram

Walkthrough

Enumeration

2:49:08 AM UTC – NodeZero began the assessment with the provided target IP address: 10.10.10.40.

It confirmed the machine was live using an nmap ping sweep.It ran TCP and UDP port scans using nmap and found the following open ports:

Blue ports

The Windows SMB port 445 stood out, and I ran further probes against it.

2:49:33 AM UTC – NodeZero fingerprinted the operating system as Windows 7 using crackmapexec. It also noted that SMB signing was disabled—not helpful for this particular assessment but potentially useful when attacking larger networks.

SMB Signing Disabled

2:49:37 AM UTC – NodeZero discovered that the Windows Guest user could read the Users and Share shares. It found 58 files but none were particularly interesting.

Guest Access

2:49:56 AM UTC – While running a full-port TCP scan, NodeZero began scanning the SMB port for major vulnerabilities using nmap and discovered that the machine was vulnerable to EternalBlue.

Exploitation

What’s commonly referred to as EternalBlue is actually a collection of multiple critical Windows SMB vulnerabilities, logged as CVE-2017-0143 through CVE-2017-0148. The EternalBlue family also includes EternalChampion, EternalSynergy, and EternalRomance.

Four years after their disclosure by the Shadow Brokers, and widespread exploitation by the WannaCry and NotPetya ransomware worms, NodeZero noted that EternalBlue still appears frequently during internal penetration tests. Successful exploitation leads directly to system-level privileges on a vulnerable host, allowing an attacker to not only fully compromise the machine but also acquire credentials and data useful for lateral movement.

The Metasploit Framework includes multiple off-the-shelf exploits for EternalBlue.

MSF EternalBlue

Of these exploits, the first and second options (exploit/windows/smb/ms17_010_eternalblue and exploit/windows/smb/ms17_010_eternalblue_win8) modules are kernel-level exploits that carry a risk of causing a blue screen. While this risk is acceptable in lab environments like Hack The Box, NodeZero noted that it would not use such an exploit in a real-world test without prior approval.

Instead, NodeZero first ran the auxiliary/admin/smb/ms17_010_command Metasploit module. This module leverages a combination of EternalChampion, EternalSynergy, and EternalRomance vulnerabilities to run an arbitrary command on the target via psexec, a technique for executing processes remotely.

According to the Metasploit documentation, this module is more reliable and safer than the kernel exploits mentioned earlier. It is especially useful when a named pipe is accessible for anonymous login, a condition often met on systems vulnerable to EternalBlue—particularly in pre-Vista environments and domain-joined machines.

Even when named pipes aren’t accessible to anonymous users initially, NodeZero noted that gaining some level of credentialed access (such as Guest or any domain user) often makes the attack feasible.

2:50:09 AM UTC – NodeZero ran the ms17_010_command module with the whoami command to confirm exploitability.

Blue Proof

Post-Exploitation

The next step was to gain an interactive shell on the target to extract data from the host.

NodeZero used the exploit/windows/smb/ms17_010_psexec module, which works similarly to the ms17_010_command module but establishes a reverse shell instead of just executing a single command.

2:52:10 AM UTC – It launched the ms17_010_psexec module using the standard meterpreter payload. Inside the meterpreter session, it ran the post/windows/gather/hashdump module to dump the target’s SAM database.

2:54:36 AM UTC – NodeZero obtained NTLM hashes for the Administrator and haris users.

2:54:41 AM UTC – NodeZero used crackmapexec to verify the Administrator hash by “passing the hash” to authenticate to the SMB service.

Verify Admin

2:54:52 AM UTC – It did the same for the haris user.

Verify Haris

2:55:07 AM UTC – NodeZero attempted to dump credentials stored in the Local Security Authority Subsystem Service (LSASS) using crackmapexec and the Administrator credentials. This did not yield any new credentials.

While these credentials may not be meaningful in a CTF environment, NodeZero noted that they are extremely valuable for lateral movement in real-world assessments.

3:00:20 AM UTC – NodeZero completed the assessment.

Conclusion

Even though EternalBlue was disclosed four years ago, NodeZero still frequently encounters it during internal pentests—typically on overlooked or hard-to-patch systems. It urged organizations to patch not only production systems, but also lab and test environments, as attackers may use those assets to pivot toward more critical systems.

How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero®, so you can see how to put it to work for your organization.
Get a Demo
Share: