Explosion - Windows
- justinblawitz
- Oct 7, 2025
- 1 min read
Ping and nmap target Ip using sudo nmap -sV {target Ip}
We find a couple open ports, with port 3389/tcp open being the most interesting. This port is usually used for Windows Remote Desktop and Remote Assistance connections (over RDP – Remote Desktop Protocol).
Use xfreerdp3 /v:{target Ip} without providing a username or password (/v: {target Ip} : specifies the target Ip of the host we would like to connect to). But our username is not accepted.
Next, we try using common default accounts like user, admin etc. using xfreerdp3 /v:{target Ip} /cert:ignore /u:Administrator and a blank password gains us access (/cert:ignore : specifies to the scripts that all security certificate usage should be ignored, /u:Administrator : specifies the login username to be “Administrator”)
On the desktop of the machine, we now have remote access to is a file with the flag inside, read the contents and capture the flag.
Comments