Hack The Box — Explosion

James Pearson
3 min readJan 30, 2022


HTB Tags: #Windows #Network #AccountMisconfiguration.

This is the fourth in the Starting Point series ,the first of the non-free VIP boxes as well as being another MS Windows challenge. This time the focus is on the remote desktop protocol. So let’s start by enumerating as normal with a standard run of ping and nmap.


ping $IP -c 4


nmap -sC -sV -A $IP -p-

We have a lot to look through and a lot of information to validate. Again such sites as https://www.speedguide.net/port.php?port=3389 will help to explain the RDP port more thoroughly.

We could look through the Samba ports but on our initial review of them, we got the NT_STATUS_ACCESS_DENIED during connection. This now directs us to port 3389.

remote desktop protocol

There are a large number of RDP applications available to use, both free and at cost, however the default Kali build comes with the application xfreerdp. From it’s Linux man page:

xfreerdp is an X11 Remote Desktop Protocol (RDP) client which is part of the FreeRDP project. An RDP server is built-in to many editions of Windows.

In this case, as we have not found any username:passwords, the login details were provided. Remember these are training challenges, the next ones may not be as easy!

xfreerdp /v:$IP /cert:ignore /u:Administrator

Fot this terminal command we have:

  • /v Server Hostname
  • /cert Simply ignores a requirement for a certificate
  • /u username details can include domain.

As already mentioned, we were given Administrator details (no password) so by hitting return, it opened a new remote destop session:

Closing the initial menu window revealed the flag.txt file on the Desktop, which was opened by double clicking with the mouse.


As much is this is advertised as a very easy challenge, we have been made aware of a new graphical method of exploiting the targets, assuming of course that we have found the username:password combinations.



James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.