I will cover solution steps of the "Explosion" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'. This is a VIP machine so you'd need an upgrade from your free plan.
Introduction
Remote access software represents a legitimate way to connect to other hosts to perform actions or offer support. The interactions involved by using any type of remote access tool can either be CLI-based (Command Line Interface) or GUI-based (Graphical User Interface). These tools use the same protocol at their base to communicate with the other hosts, which is RDP. RDP (Remote Desktop Protocol) operates on ports 3389 TCP and 3389 UDP. The only difference consists of how the information relayed by this protocol is presented to the end-user.
Command Line Interface-based Remote Access Tools have been around forever. A rudimentary example of this is Telnet , which was explored briefly in the Meow machine. . In its most basic configuration, Telnet is considered insecure due to lacking the ability to encrypt the data being sent through it securely. This implies that an attacker with access to a network TAP (Traffic Access Point) could easily intercept the packets being sent through a Telnet connection and read the contents, be they login credentials, sensitive files, or anything else. Telnet, which runs on port 23 TCP by default, has mainly been replaced by its more secure counterpart, SSH , running on port 22 TCP by default.
SSH, which stands for Secure Shell Protocol, adds the required layers of authentication and encryption to the communication model, making it a much more viable approach to perform remote access and remote file transfers. It is used both for patch delivery, file transfers, log transfer, and remote management in today's environment.
SSH uses public-key cryptography to verify the remote host's identity, and the communication model is based on the Client-Server architecture , as seen previously with FTP, SMB, and other services. The local host uses the server's public key to verify its identity before establishing the encrypted tunnel connection. Once the tunnel is established, symmetric encryption methods and hashing algorithms are used to ensure the confidentiality and integrity of the data being sent over the tunnel.
In order to be able to see the remote host's display, one can resort to CLI-based tools such as xfreerdp . Tools such as this one are called Remote Desktop Tools , despite being part of the Remote Access family.
Check Hack the Box - Meow on how to connect to the VPN and spawn the machine.
TASK 1: What does the 3-letter acronym RDP stand for? Remote Desktop Protocol
TASK 2: What is a 3-letter acronym that refers to interaction with the host through a command line interface? CLI
TASK 3: What about graphical user interface interactions? GUI
TASK 4: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23? telnet
TASK 5: What is the name of the service running on port 3389 TCP? ms-wbt-server
TASK 6: What is the switch used to specify the target host's IP address when using xfreerdp? /v:
TASK 7: What username successfully returns a desktop projection to us with a blank password? Administrator
Submit Flag:
We start, as always, with an nmap scan, resulting in open ports running RDP. We have run the scan with the version scanning switch enabled to determine the exact versions of all the services running on open ports on the target, thus assessing the actual operating system of the machine and any additional potential vulnerabilities due to outdated software.
sudo nmap <$IP> -Pn -sV -A
or
sudo nmap -sV <$IP>
-sV
: Probe open ports to determine service/version info.
It is always a good idea to research the ports found in order to understand the big picture. SpeedGuide is a good resource for those just starting out with their networking basics and interested in understanding more common ports at a glance.
Looking at the SpeedGuide entry for port 3389 TCP. It is typically used for Windows Remote Desktop and Remote Assistance connections (over RDP - Remote Desktop Protocol). We can quickly check for any misconfigurations in access control by attempting to connect to this readily available port without any valid credentials, thus confirming whether the service allows guest or anonymous connections or not.
If you need to install xfreerdp , you can proceed with one of the following commands:
sudo apt-get install freerdp2-x11
sudo apt-get install freerdp3-x11
We can first try to form an RDP session with the target by not providing any additional information for any switches other than the target IP address. This will make the script use your own username as the login username for the RDP session, thus testing guest login capabilities.
/v:{target_IP}
: Specifies the target IP of the host we would like to connect to.
We can try a myriad of other default accounts, such as user
, admin
, Administrator
, and so
on. In reality, this would be a time-consuming process. I tried with the username Administrator
. We will also be specifying to the script that we would like to bypass all requirements for a security certificate so that our own script does not request them. The target, in this case, already does not expect any. Let us take a look at the switches we will need to use with xfreerdp in order to connect to our target in this scenario successfully:
/cert:ignore
: Specifies to the scrips that all security certificate usage should be
ignored.
/u:Administrator
: Specifies the login username to be "Administrator".
/v:{target_IP}
: Specifies the target IP of the host we would like to connect to.
We can see a file on the desktop with the name flag. And Congratulations! We have successfully retrieved the flag value.
On submitting it you will receive message as "Explosion has been Pwned".
Credits: HTB Official Write-up
Dear Gentle Reader feel free to reach out for queries and feedback. 🥷
Top comments (0)