In a corporate environment, employees sometimes need support from their peers. Let us assume a new employee just got onboard, and they have access to technical tools on their corporate Windows operating system that allow them to do their job effectively. Some of these tools can intercept packets on the network to analyze the flow of information between two hosts. Other tools might be script editors that would allow them to automate their day-to-day tasks as technical-oriented employees. Others might allow them to remotely connect to other hosts running either Linux or Windows to support their fellow teammates or customers.
In this case, we will be discovering the risks involved with misconfigurations in the latter. However, there is no need to think of these tools as malicious or risky. Remote access software represents a legitimate way to connect to other hosts to perform actions or offer support. The interactions involved by using any type of remote access tool can either be:
- CLI-based (Command Line Interface) or
- GUI-based (Graphical User Interface).
These tools use the same protocol at their base to communicate with the other hosts, which is RDP. RDP (Remote Desktop Protocol) operates on ports 3389 TCP and 3389 UDP. The only difference consists of how the information relayed by this protocol is presented to the end-user.
Learn more about CLI-based usage from Chapter #1
1-Meow: Starting Point Hack The Box Machine - Complete Guide
This comprehensive guide provides step-by-step instructions for hacking the 1-Meow machine on Hack The Box. It covers the entire process from enumeration to privilege escalation, helping readers understand the techniques and tools involved in penetration testing and cybersecurity.
Enumeration
Firstly, click on “Spawn Machine” to start the instance and check the target IP.As always, we start with a Nmap scan, which results from the open ports. We have run the scan with the version scanning switch enabled to determine the exact versions of all the services running on open ports on the target, thus assessing the actual operating system of the machine and any additional potential vulnerabilities due to outdated software.
- -sV: Probe open ports to determine service/version info
Port 135 TCP: https://www.speedguide.net/port.php?port=135 Port 139 TCP: https://www.speedguide.net/port.php?port=139
Port 445 TCP: https://www.speedguide.net/port.php?port=445
Port 3389 TCP: https://www.speedguide.net/port.php?port=3389
Port 5357 TCP: https://www.speedguide.net/port.php?port=5357 |
Let’s look at the Speed Guide entry for port 3389 TCP, we deem it of interest. It is typically used for Windows Remote Desktop, and Remote Assistance connections (Over remote desktop Protocol). We can quickly check for any misconfigurations in access control by attempting to connect to this readily available port without any valid credentials, thus confirming whether the service allows guest or anonymous connections or not.
Foothold
As, I am a windows user, so I am here going to use the Remote Desktop Connection application. Now run the application (Win + S).Input the IP address with the port number [Target IP: PortNo] and click on connect to interact with the target.
Now it will prompt me to input the password of my system, as it automatically selects my system username. But, I am not going to log in with my system username. As I know this will be fully bullshit.
Now click on more choices. As you can see it will prompt me to provide the username and password of the target.
Let’s try with default accounts, such as user, admin, Administrator, and so on.
In reality, this would be a time-consuming process. However, for the sake of RDP exploration, let us attempt logging in with the Administrator user without having the password. As you can see we have successfully managed to get log into the target.
The flag we are looking for is located on the Desktop. Now click on that and you can see the code inside it.
Task Answers
TASK 1: What does the 3-letter acronym RDP stand for?
Ans. Remote Desktop ProtocolTASK 2: What is a 3-letter acronym that refers to interaction with the host through a command-line interface?
TASK 3: What about graphical user interface interactions?
TASK 4: What is the name of an old remote access tool that came without encryption by default?
Ans. telnetTASK 5: What is the concept used to verify the identity of the remote host with SSH connections?
Ans. public-key cryptographyTASK 6: What is the name of the tool that we can use to initiate a desktop projection to our host using the terminal?
Ans. xfreerdp
TASK 7: What is the name of the service running on port 3389 TCP?
Ans. ms-wbt-serverTASK 8: What is the switch used to specify the target host's IP address when using xfreerdp?
Ans. /v: