Lab Objective: Explosion is the fifth machine in the Starting Point Tier 0 series. It focuses on the Remote Desktop Protocol (RDP) — specifically, what happens when a system is misconfigured and a threat actor can fully compromise it with no credentials.
Important Considerations
- RDP (Remote Desktop Protocol) — allows team members to remotely connect to other hosts via a graphical interface.
- Ports — 3389 TCP and 3389 UDP.
- Telnet — an outdated remote access tool, unsecure by default. Long replaced by SSH.
- SSH (Secure Shell Protocol) — adds authentication and encryption layers to the base communication model.
- Use cases for remote access — patch delivery, file transfers, log transfers, remote management.
Enumeration
Nmap scan: nmap -p- -sV {targetIP}. Scanning all 65,535 ports with service version detection.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Task 1 — What does RDP stand for?
Answer: Remote Desktop Protocol.
Task 2 — What 3-letter acronym refers to command-line interface interaction?
Answer: CLI.
Task 3 — What about graphical user interface interactions?
Answer: GUI.
Task 4 — What old remote access tool came without encryption and listens on TCP port 23?
Answer: Telnet.
Task 5 — What is the name of the service running on port 3389 TCP?
Answer: ms-wbt-server.
Establishing a Foothold
Task 6 — What switch specifies the target host's IP address in xfreerdp?
Answer: /v:. Connect with: xfreerdp /v:{targetIP}.
Task 7 — What username returns a desktop with a blank password?
Answer: Administrator. This is the classic misconfiguration — the Administrator account with no password set.
Task 8 — Submit root flag.
Answer: Follow the steps above. Once inside the remote desktop, the flag is visible on the filesystem.
Final Thoughts
A straightforward exercise, but an important one. Getting a full graphical desktop from a blank administrator password is not a sophisticated attack — it is a configuration failure. The lesson is not about the tool, it is about what gets left unchecked at deployment.