HTB | Explosion | Write-Up
Summary:
This article guides users through completing the Explosion machine challenge on Hack The Box. The guide covers tasks such as connecting to the target machine via pwnbox, identifying open TCP ports, understanding remote access protocols and tools, and obtaining flags through a series of questions and exercises.
Machine Name: Explosion | Difficulty: Easy | OS: Windows
The aim of this walkthrough is to provide help with the Explosion machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
Setup
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host's IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
Task | 1
Question: What does the 3-letter acronym RDP stand for?
Look up rdp on the internet.
remote desktop protocol
Task | 2
Question: What is a 3-letter acronym that refers to interaction with the host through a command line interface?
Use the hint feature to get a better understanding of the question.
cli
Task | 3
Question: What about graphical user interface interactions?
The answer should be quite straightforward after the previous task.
gui
Task | 4
Question: What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?
Use the internet to look up port 23.
telnet
Task | 5
Question: What is the name of the service running on port 3389 TCP?
Run the default nmap scan against the target machine.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 19:20 BST
Nmap scan report for 10.129.1.13
Host is up (0.051s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $
ms-wbt-server
Task | 6
Question: What is the switch used to specify the target hosts IP address when using xfreerdp?
List the xfreerdp command options and their usage with the --help option.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
��└──╼ $xfreerdp --help
...
/v:<server>[:port] Server hostname
...
/v:
Task | 7
Question: What username successfully returns a desktop projection to us with a blank password?
Well, similarly to the default credentials on linux (like root:root | root:password | user:password | kali:kali ....) there are some for windows too.
Here are some notable examples: Username:Password | Administrator:Administrator .... Since the flag in the last task requires root privileges, we only have administrator as the windows equivalent. Simply press enter when prompted for a password.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $xfreerdp /u:Administrator /v:$rhost
...
Administrator
Submit The Flag
Question: Submit root flag
Once logged in on the remote windows machine, you will find the file containing the flag on your Desktop.
flag
Make sure to terminate the target box before you continue with the next machine!