Tutorial: Using web command injection to gain remote desktop on Windows web server

Blog Post created by webpwnized on Jun 22, 2012

In this video, a reasonably hardened Windows web server is hosting Mutillidae, a deliberately vulnerable web application. Mutillidae contains a web command injection. A Backtrack host is also running on the same network (Virtual Box Host Only network).


Using command injection, remote desktop access (RDP) is gained to a Windows web server. The web server is configured with a firewall protecting the RDP port. Also the RDP service is not running and disabled. Registry settings are set to keep RDP's underlying service (Terminal Services) from running. Additionally, there are no users in the Remote Desktop Users group. By exploiting a command injection vulnerability, the terminal services are enabled and started, the registry is altered, the firewall is opened, a user is added (root), and the user is placed in the Remote Desktop Users group. Once the exploit is complete, grdesktop from Backtrack is used to remote into the Windows box over an RDP terminal.


The video also dicusses the defect and configuration mistakes which allowed the exploit to take place.