Explosion (Tier 0)

Description

  • Tier -> 0

  • Difficult -> Very Easy

  • OS -> Windows

  • Tags -> Programming / RDP / Reconnaissance / Weak Credentials

https://app.hackthebox.com/starting-point?tier=0

Write-up

  • With a little research, I started answering the first questions

Answer: Remote Desktop Protocol

Answer: cli

Answer: gui

Answer: telnet

Answer: nmap

  • Then I continued doing an initial port scan of the machine using Nmap

nmap 10.129.1.13 -p- -Pn --min-rate 2500 -oN scan.txt

  • With this and a little research, I answered the next questions

Answer: ms-wbt-server

Answer: /v:

  • Then I did an exhaustive scan of the ports found to get information about the running services

nmap 10.129.1.13 -p135,139,445,3389,5985,47001 -sVC -oN serv_scan.txt

  • I observed the RDP protocol was running on port 3389, so I tried to access it using the xfreerdp tool. But as I was only able to provide the IP, it asked for a domain and password which I didn't have. So I tried to log in using common credentials, and when using administrator as username I could log in providing a blank password, gaining remote access to the machine as a privileged user

xfreerdp /v:10.129.1.13
xfreerdp /v:10.129.1.13 /u:administrator

To learn more about the RDP protocol you can go here

  • With this, I answered the next question

Answer: administrator

  • Once inside, I saw on the Desktop there was a file named flag which seemed to be a text file, so I opened it to look at its content, and with this, I retrieved the root flag

  • With this, I got the root flag and pwned the machine

Answer: 951fa96d7830c451b536be5a6be008a0

PreviousRedeemer (Tier 0)NextPreignition (Tier 0)

Last updated