HTB Labs — Tier 0— “Explosion” Machine Walkthrough | By CyberAlp0

Solving Explosion Machine from HackTheBox — Starting Point — Tier 0 | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Explosion”. Explosion is one of the VIP labs in HackTheBox — Tier 0— Starting Point Phase. This machine strengthens your programming and reconnaissance skills. It also strengthens your knowledge regarding exploiting RDP.

This blog will guide you toward solving explosion machine tasks individually and give you more information and hints regarding each question. These hints will widen your experience and sharpen your mind.

Step 1: Connecting to the Starting Point Labs Servers.

As usual, before solving the tasks, you have to be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: What does the 3-letter acronym RDP stand for?

Answer: Remote Desktop Protocol

Walkthrough:

Remote Desktop Protocol (RDP) is a protocol developed by Microsoft that allows users to control and connect to remote computers over the network. RDP provides a graphical interface, allowing users to access files, applications, and other resources on the remote computer as if they were sitting in front of it.

This protocol allows the hacker to perform lots of attacks. However, The most dangerous exploit that can be used by hackers is the unpatched vulnerabilities that exist in outdated RDP software. This allows hackers to gain remote access or execute malicious code on the target system. Thus, it is crucial to keep both your operating system and RDP application up-to-date.

Task 2: What is a 3-letter acronym that refers to interaction with the host through a command line interface?

Answer: CLI

Walkthrough:

CLI allows the users to interact with operations systems by typing commands into a text-based interface, rather than using a Graphical User Interface (GUI). CLI allows more direct and efficient control of the system.

Task 3: What about graphical user interface interactions?

Answer: GUI

Walkthrough:

Graphical User Interface (GUI) is a user interface that allows the users to interact with the operating systems through graphical elements, such as windows, icons, menus, and pointers like a mouse.

Task 4: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?

Answer: Telnet

Walkthrough:

Telnet is one of the network protocols that allows the users to connect to remoter computers over the TCP/IP network. It also allows the users to interact with the operating systems using the CLI. It operates on port 23 by default.

One of its common weaknesses points, that it doesn't have built-in encryption, Thus, the communication is established in plaintext. It is now replaced with a more secure communication protocol which is called SSH (Secure Shell). This protocol operates on port 22 over TCP.

Read more information on how we can exploit machines that have talent protocol activated without taking the proper security measures.

The Machine is called MEOW from HTB.

Task 5: What is the name of the service running on port 3389 TCP?

Answer: ms-wbt-server

Walkthrough:

To find the name of the service running on the target, we will scan the target’s machine. There are lots of scanning tools like Rustscan and Nmap. Since Nmap is my favorite, we will be typing the following command

sudo nmap -A -sV -sC 10.129.40.107

This command allows performing an aggressive scan on the target’s machine. Here is a breakdown in detail for the command used

• -A: This option allows you to perform an aggressive scan and enable OS detection, version scanning, and script scanning.
• -sV: This option allows you to probe open ports to determine the service/version information.
• -sC: which is the default Nmap script. This option allows Nmap to run a set of default scripts to gather as much information about the target system.

Scanning the target’s machine to find the service running on port 3389.

Note: You may use the explainshell website to understand more about different shell commands.

Task 6: What is the switch used to specify the target host’s IP address when using xfreerdp?

Answer: /v:

Walkthrough:

xfreerdp is a free and open-source tool used to connect to other systems through RDP. It allows users to connect and control Windows systems over TCP/IP. xfreerdp tool comes with lots of switches and options to configure the connection with the remote Windows system

These Switches are as follows:

• /u: <Username>: To specify the username of the target OS you are connecting to.
• /p: <Password>: To specify the password of the remote OS.
• /d: <Domain>: To specify the domain.
• /s: <Shell>: To specify the shell program you will be running.
• /f: <Full Screen>: To run the xfreerdp tool in full-screen mode.
• /cert: <Certification>: To specify the status of the connection certification.

You can find more information and details about the tools xfreerdp by typing the <xfreerdp — — help>

Task 7: What username successfully returns a desktop projection to us with a blank password?

Answer: Administrator

Walkthrough:

Remember the Fawn Lab we previously covered? It focused on exploiting the FTP that runs over port 21. It had a similar mindset of exploiting the machine, we used the user “anonymous” to gain access to the machine with a plaintext password (without any authentication).

Similarly, To exploit a weak protocol like the RDP, we will use the username “Administrator” to remotely connect to the Windows operating system, without any kind of authentication like typing passwords.

This also implies other weak protocols like telnet, which runs over port 23. We have covered it in the MEOW Lab from HTB.

In Summary, we leant, so far, that there are three different weak protocols that enable the hackers to connect to the target systems. These Three protocols are FTP, telnet, and RDP.

1- FTP runs over port 21. its secured alternative is FTPS or SFTP. We covered its exploitation in the FAWN Lab from HTB.

2- Telent runs over port 23. Its secured alternative is SSH, that run over port 22. We covered its exploitation in the MEOW Lab from HTB.

3- RDP runs over port 3389. Its secured alternative is VPN or RDP over HTTPS.

The command we will be typing is as follows:

sudo xfreerdp /v:10.129.1.13 /cert:ignore /u:Administrator

Exploiting the RDP using xfreerdp tool.

Task 8: The Root Flag

Answer: 951fa96d7830c451b536be5a6be008a0

Walkthrough:

After connecting to the remote server as an “Administrator”, we will gain remote access to the server as follows. By opening the flag.txt that is found on the desktop, we shall find our flag.

The flag of the explosion Machine from HTB is:

951fa96d7830c451b536be5a6be008a0

Hope you enjoyed reading my blog about solving explosion machine from HTB — Tier 0 — Starting Point Phase.

See You in another write-up!