HTB - Explosion - Walkthrough

The aim of this walkthrough is to provide help with the Explosion machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

You could use the unset command to remove it after you no longer need it.

┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

TASK 1

Question: What does the 3-letter acronym RDP stand for?

Look up rdp on the internet.

remote desktop protocol

TASK 2

Question: What is a 3-letter acronym that refers to interaction with the host through a command line interface?

Use the hint feature to get a better understanding of the question.

cli

TASK 3

Question: What about graphical user interface interactions?

The answer should be quite straightforward after the previous task.

gui

TASK 4

Question: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?

Use the internet to look up port 23.

telnet

TASK 5

Question: What is the name of the service running on port 3389 TCP?

Run the default nmap scan against the target machine.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 19:20 BST
Nmap scan report for 10.129.1.13
Host is up (0.051s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

ms-wbt-server

TASK 6

Question: What is the switch used to specify the target hosts IP address when using xfreerdp?

List the xfreerdp command options and their usage with the –help option.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $xfreerdp --help
...
  /v:<server>[:port]                Server hostname
...

/v:

TASK 7

Question: What username successfully returns a desktop projection to us with a blank password?

Well, similarly to the default credentials on linux (like root:root | root:password | user:password | kali:kali ….) there are some for windows too.

Here are some notable examples: Username:Password | Administrator:Administrator …. Since the flag in the last task requires root privileges, we only have administrator as the windows equivalent. Simply press enter when prompted for a password.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $xfreerdp /u:Administrator /v:$rhost
...

Administrator

SUBMIT FLAG

Question: Submit root flag

Once logged in on the remote windows machine, you will find the file containing the flag on your Desktop.

flag

Make sure to terminate the target box before you continue with the next machine!

SETUP#

TASK 1#

TASK 2#

TASK 3#

TASK 4#

TASK 5#

TASK 6#

TASK 7#

SUBMIT FLAG#