We're continuing our series Hack the Box challenges with the Explosion box! This is box 5 of the tier 0 starting point boxes and is a bit different than the other boxes and provides a nice change of pace.
About the Box
Explosion is a Very Easy Windows based box that is a part of the Hack the Box Starting Point series of boxes. It shows how a poorly configured remote desktop setup can lead to exploitation!
This is also the first VIP box in the series, meaning you'll need a subscription to access and play this box. But even if you're not a paying member it is worth it to read a few write ups and learn about the exploits in said boxes.
That being said, let's spawn the Box, startup Pwnbox and get to hacking!
Initial Setup
Let's first add our box's IP to our /etc/hosts file for easier access.
echo "10.129.15.188 explosion.htb" | sudo tee -a /etc/hostsAnd then ping the box to confirm we can connect.
All good! Let's move onto the next phase and do our Nmap scan and see what's listening.
Nmap Scan
So let's start by running nmap and see what info we can get from the server.
nmap -sC -sV -p- explosion.htb
So we actually got quite a few hits back. It's always good practice to investigate every avenue of attack, just from this scan we can see things like SMB we could try to enumerate for example, however I'm going to focus in on one item in particular: the service on port 3389 which is reported as Microsoft Terminal Services.
A bit of googling tells me that this a Remote Desktop Service (RDS), meaning that it gives users access to run a desktop on this remote machine. This can be useful in corporations that need to work in a shared environment.
That is probably our way in!
NOTE: So I wanted to include this resource that's in the official walkthrough, speedguide.net has a lot of good resources, including pages that detail common applications that run on certain ports. For example https://www.speedguide.net/port.php?port=135 will tell us that this is a common port for RPC servers. This can be a good resources to use if we see a service running on a port but nmap isn't able to tell us what it is!
Accessing the RDS
We'll be using xfreerdp to try and access this remote desktop. It's a open source solution for accessing and using these services which is perfect for us!
However, the tool has a few quirks to note before we get started. First: flags are passed in with /(flag):(argument) syntax, so to define what volume we want (what computer we want to have remote desktop access to) we would use /v:explosion.htb.
Second: by default it will use a blank username to connect, so you will have to pass in a username through the cli call. The tool WILL NOT ask you for a username, it might ask for a domain but that's a separate thing.
Both of these threw me for a loop while I was going through the box, especially having to define which username in the cli tool and not being able to enter one through a tool prompt. But I digress.
So let's access the remote desktop using a default Administrator username, and when prompted leave the password blank, like so:
xfreerdp /v:explosion.htb /u:Administrator
We're in! The Administrator account didn't have a password set so we were able to connect! Once we connect the tool will open a fresh window showing the remote desktop. And look at that! The flag is right there! Opening that txt file will show the flag! No Spoilers ;)
Final Thoughts
This one was a bit trickier for me than the other boxes so far. Having never used xfreerdp several of it's quirks threw me for a loop and left me searching google not even sure what I should be looking for. But we got there in the end!
It was a fun box! But now it's time to move onto the next box in the series: Preignition
Why is the Explosion before the Preignition? that seems a bit backwards…Anyway, Happy Hacking!