This is a simple walkthrough for completing the Explosion target machine in Hackthebox.com.
Question: What does the 3-letter acronym RDP stand for?
Answer: Remote Desktop Protocol
Question: What is a 3-letter acronym that refers to interaction with the host through a command line interface?
Question: What about graphical user interface interactions?
Question: What is the name of an old remote access tool that came without encryption by default?
Question: What is the concept used to verify the identity of the remote host with SSH connections?
Answer: Public-Key Cryptography
Question: What is the name of the tool that we can use to initiate a desktop projection to our host using the terminal?
Question: What is the name of the service running on port 3389 TCP?
Question: What is the switch used to specify the target host’s IP address when using xfreerdp?
Remote Desktop Protocol (RDP) is a protocol developed by Microsoft, which provides a user with a GUI to connect to another computer via a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software. Specifically for this box we see ms-wbt-server. Ms-wbt-server is a common name for a protocol that is used by Windows Remote Desktop and uses the well known TCP port 3389. This is similar to the http protocol that is commonly used by web browsers.
We can use xfreerdp to connect to the target. Make sure you have the required software installed. This can be accomplished by the following command:
sudo apt install freerdp2-x11
Next, we can connect by using the following command:
$ xfreerdp /v:10.129.1.13
You will be prompted to enter Y to proceed with accepting the certificates. After the certificate is accepted, the next step in the connection will be to enter the domain name. We can type the name of the HackTheBox (Explosion) here as a try to see if it works as it is the closest possible hint we have to what the domain name could be. For the password, we can just press the enter key to see if the system is misconfigured without a password.
We received an error connect message with the domain of Explosion and empty password. We can dig a little deeper in the xfreerdp tool and see that if we don’t provide the command with a specific username, it will automatically default to the username of our host machine, which we know will give us the wrong login credentials.
We can now try to enumerate through a series of common known login credentials for admin access. For instance, admin OR Administrator OR root OR user.
Let’s try Administrator and no password.
The default credentials worked and we were able to login to this misconfigured target machine. The flag file is on the desktop as well.