Open in app

Sign in

Write

Sign in

Hack The Box Lab: Exploring Remote Desktop Exploitation

Dr. Jaber Kakar
4 min readSep 29, 2023

--

Starting Point — Tier 0 — Explosion Lab

As cybersecurity enthusiasts, we often find ourselves navigating through the complex world of network penetration testing. Today, we’ll delve into the “Explosion” lab on Hack The Box (HTB), a very easy-tier challenge that explores remote desktop exploitation. This lab is perfect for those starting their journey into cybersecurity, as it covers fundamental concepts and tools.

Lab Overview

  • Target IP: target_IP (Make sure to replace target_IP with the respective IP of the target machine.)

In this lab, we will address the following key questions and tasks:

  1. Task 1: What does the 3-letter acronym RDP stand for?
  2. Task 2: What is a 3-letter acronym that refers to interaction with the host through a command line interface?
  3. Task 3: What about graphical user interface interactions?
  4. Task 4: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?
  5. Task 5: What is the name of the service running on port 3389 TCP?
  6. Task 6: What is the switch used to specify the target host’s IP address when using xfreerdp?
  7. Task 7: What username successfully returns a desktop projection to us with a blank password?
  8. Task 8: Submit root flag

The answers to these questions (except for the root flag) will be highlighted in bold and italic to help you navigate this learning journey.

Task 1: RDP Unveiled

Our journey begins with understanding RDP. The three-letter acronym RDP stands for “Remote Desktop Protocol”. It’s a crucial tool for GUI-based remote system administration.

Task 2 and 3: CLI vs. GUI

In the world of cybersecurity, we frequently interact with hosts through command line interfaces (CLI) and graphical user interfaces (GUI). Here’s the key difference:

  • CLI (Command Line Interface): CLI allows interaction with the host through text-based commands. It’s powerful for scripting, automation, and SSH (Secure Shell) connections.
  • GUI (Graphical User Interface): GUI provides a visual interface for interactions. It’s user-friendly and often used in RDP sessions.

Knowing these acronyms — CLI and GUI — is essential for effective communication in the field.

Task 4: Telnet, an Old Friend

Here, we encounter an old remote access tool known as Telnet. This tool used to come without encryption by default and listens on TCP port 23. Telnet is a CLI-based tool used for remote connections.

SSH (Secure Shell Protocol) is a more secure alternative to Telnet, operating on TCP port 22. It adds essential layers of authentication and encryption, making it the preferred choice for secure remote access and file transfers.

Task 5: Service on Port 3389

To identify the service running on TCP port 3389, we initiate an Nmap scan using the following command in our terminal:

nmap -sV -p3389 target_IP

In this command, the -sV flag enables version detection, and -p <port ranges> specifies the scanning of the specified ports. The Nmap scan yields the following crucial information:

Scan results reveal the presence of “ms-wbt-server” on port 3389. This discovery signifies that the Remote Desktop Protocol (RDP) is active on this port. Additional research on port 3389 confirms its association with RDP.

Task 6: xfreerdp for Remote Desktop Connection

To initiate a remote desktop connection, we use “xfreerdp”. Task 6 throws a question our way: What’s the switch that allows us to specify the target host’s IP address when using xfreerdp?

To provide the best response to this question, we consult the tool’s built-in help function by executing the following command:

xfreerdp -h

The output gives us valuable insights into the usage of xfreerdp, as seen below:

Observing the usage pattern, we find that the answer is “/v:”. This switch allows us to specify the target IP address of the host we would like to connect to.

Task 7: Gaining Administrator Access

Task 7 puts our knowledge of RDP login credentials to the test. The username “administrator” allows us to successfully return a desktop projection without requiring a password.

To specify the administrator user and bypass security certificates, we make use of the switches:

  • /u:administrator
  • /cert:ignore

In combination with specifying the target machine’s IP, we formulate the command for establishing an RDP connection as administrator user:

xfreerdp /v:target_IP /cert:ignore /u:administrator

However, during the initialization of the RDP session, we are prompted for a Password. The administrator account, in this instance, has not been configured with a password, simplifying our access to the target machine. To proceed, we can bypass thePassword prompt by simply pressing Enter.

Task 8: The Root Flag

With our RDP connection successfully established, we find ourselves just moments away from our ultimate prize — the root.txt file. This file is conveniently located right on the Desktop. A simple click opens it, revealing the root flag.

The flag.txt file is located on the Desktop.

Conclusion

The “Explosion” lab on HTB provides a fantastic learning opportunity for those stepping into the world of cybersecurity. We’ve covered the basics of RDP, CLI, GUI, Telnet, xfreerdp, and more. Remember to replace target_IP with the specific target IP you’re working with. Embrace this lab as a valuable experience on your cybersecurity learning path!

Thanks for reading! If you want to learn more about Ethical Hacking, please subscribe to this blog. We will constantly be posting articles to help you start your cyber security journey as an ethical hacker!

Ethical Hacking
Cybersecurity
Hack The Box Writeup
Information Security
Rdp

--

--

Dr. Jaber Kakar

Written by Dr. Jaber Kakar

32 Followers

🔐 Cybersecurity Enthusiast | Ethical Hacker in the Making | Exploring the Digital Battlefield | Sharing Insights to Safeguard the Online Realm 🔐

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams