The aim of this walkthrough is to provide help with the Explosion machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $ echo $rhost <target-hosts-ip> ┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $unset rhost ┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $
Question: What does the 3-letter acronym RDP stand for?
Look up rdp on the internet.
remote desktop protocol
Question: What is a 3-letter acronym that refers to interaction with the host through a command line interface?
Use the hint feature to get a better understanding of the question.
Question: What about graphical user interface interactions?
The answer should be quite straightforward after the previous task.
Question: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?
Use the internet to look up port 23.
Question: What is the name of the service running on port 3389 TCP?
Run the default nmap scan against the target machine.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop] └──╼ $nmap $rhost Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 19:20 BST Nmap scan report for 10.129.1.13 Host is up (0.051s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds ┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop] └──╼ $
Question: What is the switch used to specify the target hosts IP address when using xfreerdp?
List the xfreerdp command options and their usage with the –help option.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop] └──╼ $xfreerdp --help ... /v:<server>[:port] Server hostname ...
Question: What username successfully returns a desktop projection to us with a blank password?
Well, similarly to the default credentials on linux (like root:root | root:password | user:password | kali:kali ….) there are some for windows too.
Here are some notable examples: Username:Password | Administrator:Administrator …. Since the flag in the last task requires root privileges, we only have administrator as the windows equivalent. Simply press enter when prompted for a password.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop] └──╼ $xfreerdp /u:Administrator /v:$rhost ...
Question: Submit root flag
Once logged in on the remote windows machine, you will find the file containing the flag on your Desktop.
Make sure to terminate the target box before you continue with the next machine!