Hack The Box — Explosion
HTB Tags: #Windows #Network #AccountMisconfiguration.
This is the fourth in the Starting Point series ,the first of the non-free VIP boxes as well as being another MS Windows challenge. This time the focus is on the remote desktop protocol. So let’s start by enumerating as normal with a standard run of ping and nmap.
ping $IP -c 4
nmap -sC -sV -A $IP -p-
We have a lot to look through and a lot of information to validate. Again such sites as https://www.speedguide.net/port.php?port=3389 will help to explain the RDP port more thoroughly.
We could look through the Samba ports but on our initial review of them, we got the
NT_STATUS_ACCESS_DENIED during connection. This now directs us to port 3389.
remote desktop protocol
There are a large number of RDP applications available to use, both free and at cost, however the default Kali build comes with the application xfreerdp. From it’s Linux man page:
xfreerdp is an X11 Remote Desktop Protocol (RDP) client which is part of the FreeRDP project. An RDP server is built-in to many editions of Windows.
In this case, as we have not found any username:passwords, the login details were provided. Remember these are training challenges, the next ones may not be as easy!
xfreerdp /v:$IP /cert:ignore /u:Administrator
Fot this terminal command we have:
/certSimply ignores a requirement for a certificate
/uusername details can include domain.
As already mentioned, we were given Administrator details (no password) so by hitting return, it opened a new remote destop session:
Closing the initial menu window revealed the flag.txt file on the Desktop, which was opened by double clicking with the mouse.
As much is this is advertised as a very easy challenge, we have been made aware of a new graphical method of exploiting the targets, assuming of course that we have found the username:password combinations.