The access that we have just now is mildly revolting though. ThinVNC does not provide the nicest interface to use, and we struggle to use a lot of the functionality of the machine through it.

Cast your mind back to our initial enumeration. Remember we found that Microsoft Remote Desktop Services were running on port 3389? Assuming we have the proper credentials, we can connect to this from Linux using a tool called xfreerdp.

The syntax for using xfreerdp looks like this:
xfreerdp /v: /u:USERNAME /p:PASSWORD /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp

There’s a bunch of stuff going on here, so let’s break each switch down:

  • /v: — this is where we specify what we want to connect to.
  • /u:USERNAME /p:PASSWORD — here we would substitute in a valid username/password combination.
  • /cert:ignore — RDP connections are encrypted. If our attacking machine doesn’t recognise the certificate presented by the machine we are connecting to it will warn us and ask if we wish to proceed; this switch simply ignores that warning automatically.
  • +clipboard — this shares our clipboard with the target, allowing us to copy and paste between our attacking machine and the target machine.
  • /dynamic-resolution lets us resize the GUI window, adjusting the resolution of our remote session automatically.
  • /drive:share,/tmp — our final switch, this shares our own /tmp directory with the target. This is an extremely useful trick as it allows us to execute scripts and programs from our own machine without actually transferring them to the target (we will see this in action later!)
Answer the questions below

Most people take the easy option when it comes to passwords, which makes password reuse incredibly common.

With that in mind, use xfreerdp to connect to the target over RDP.

Windows exploitation is a massive topic which is complicated greatly by the common-place nature of various defence mechanisms — Anti-Virus software being the most well-known of these. Exploiting an up-to-date Windows target with the default defences active is far outwith the scope of this room, so we will assume that the  server has had the defence mechanisms de-activated.