#4 Exploison - Starting Point - Hack The Box || Complete detailed Walkthrough

In a corporate environment, employees sometimes need support from their peers. Let us assume a new employee just got onboard, and they have access to technical tools on their corporate Windows operating system that allows them to do their job effectively. Some of these tools can intercept packets on the network to analyze the flow of information between two hosts. Other tools might be script editors that would allow them to automate their day-to-day tasks as a technical-oriented employee. Others might allow them to remotely connect to other hosts running either Linux or Windows to support their fellow teammates or customers. 

In this case, we will be discovering the risks involved with misconfigurations in the latter. However, there is no need to think of these tools as malicious or risky. Remote access software represents a legitimate way to connect to other hosts to perform actions or offer support. The interactions involved by using any type of remote access tool can either be CLI-based (Command Line Interface) or GUI-based (Graphical User Interface). These tools use the same protocol at their base to communicate with the other hosts, which is RDP. RDP (Remote Desktop Protocol) operates on ports 3389 TCP and 3389 UDP . The only difference consists of how the information relayed by this protocol is presented to the end-user.

Learn more about CLI based usage from Chapter #1 Meow - Starting Point - Hack The Box || Complete Detailed Walkthrough

The Team viewer, Any Desk, Chrome Remote Desktop are known as GUI based application used to interact graphically.

Enumeration

Firstly, click on “Spawn Machine” to start the instance and check the target IP.

 
As always, we start with Nmap scan, which results from us the open ports. We have run the scan with the version scanning switch enabled to determine the exact versions of all the services running on open ports on the target, thus assessing the actual operating system of the machine and any additional potential vulnerabilities due to outdated software.

• -sV: Probe open ports to determine service/version info 

┌──(mrdev㉿mrdev)-[~]

└─$ sudo nmap -sV 10.129.102.35

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-18 00:29 IST

Nmap scan report for 10.129.102.35

Host is up (0.22s latency).

Not shown: 996 closed tcp ports (reset)

PORT     STATE SERVICE       VERSION

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open  microsoft-ds?

3389/tcp open  ms-wbt-server Microsoft Terminal Services

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 33.08 seconds 

┌──(mrdev㉿mrdev)-[~]

└─$

It is always a good idea to research the ports found in order to understand the big picture. SpeedGuide is a good resource for those just starting out with their networking basics and interested in understanding more common ports at a glance. Below are some examples:

Port 135 TCP: https://www.speedguide.net/port.php?port=135     Port 139 TCP: https://www.speedguide.net/port.php?port=139 Port 445 TCP: https://www.speedguide.net/port.php?port=445 Port 3389 TCP: https://www.speedguide.net/port.php?port=3389 Port 5357 TCP: https://www.speedguide.net/port.php?port=5357

Let’s look at the Speed Guide entry for port 3389 TCP, we deem it of interest. It is typically used for Windows Remote Desktop, and Remote Assistance connections (Over remote desktop Protocol). We can quickly check for any misconfigurations in access control by attempting to connect to this readily available port without any valid credentials, thus confirming whether the service allows guest or anonymous connections or not.

Foothold

As, I am a windows user, so I am here going to use the Remote Desktop Connection application. Now run the application (Win + S).

Input the IP address with the port number [Target IP: PortNo] and click on connect to interact with the target.

Now it will prompt me to input the password of my system, as it automatically selects my system username. But, I am not going to log in with my system username. As I know this will be fully bullshit. 

Now click on more choices. As you can see it will prompt me to provide the username and password of the target.

Let’s try with default accounts, such as user, admin, Administrator, and so on.

In reality, this would be a time-consuming process. However, for the sake of RDP exploration, let us attempt logging in with the Administrator user without having the password. As you can see we have successfully managed to get log into the target.

 

The flag we are looking for is located on the Desktop. Now click on that and you can see the code inside it. 

Task Answers

TASK 1: What does the 3-letter acronym RDP stand for?

Ans. Remote Desktop Protocol

TASK 2: What is a 3-letter acronym that refers to interaction with the host through a command-line interface?

Ans. CLI

TASK 3: What about graphical user interface interactions?

Ans. GUI

TASK 4: What is the name of an old remote access tool that came without encryption by default?

Ans. telnet

TASK 5: What is the concept used to verify the identity of the remote host with SSH connections?

Ans. public-key cryptography

TASK 6: What is the name of the tool that we can use to initiate a desktop projection to our host using the terminal?

Ans. xfreerdp

TASK 7: What is the name of the service running on port 3389 TCP?

Ans. ms-wbt-server

TASK 8: What is the switch used to specify the target host's IP address when using xfreerdp?

Ans. /v: