Attacking RDP

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Attacking Common Services
🔗 Link: Attacking RDP

RDP to 10.129.203.13 (ACADEMY-ATTCOMSVC-WIN-01) with user "htb-rdp" and password "HTBRocks!"

❓Question¶

What is the name of the file that was left on the Desktop? (Format example: filename.txt)

📋 Walkthrough¶

Just connect to RDP

Answer

pentest-notes.txt

❓Question¶

Which registry key needs to be changed to allow Pass-the-Hash with the RDP protocol?

📋 Walkthrough¶

Read the module

Answer

DisableRestrictedAdmin

❓Question¶

Connect via RDP with the Administrator account and submit the flag.txt as you answer.

📋 Walkthrough¶

File content:

We found a hash from another machine Administrator account, we tried the hash in this computer but it didn't work, it doesn't have SMB or WinRM open, RDP Pass the Hash is not working.

User: Administrator
Hash: 0E14B9D6330BF16C30B1924111104824

Let's edit regedit key

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Now try PtH Flag is on Administrator Desktop

Answer

HTB{RDP_P4$$_Th3_H4$#}