Home Elmariachi-PC Writeup PwnTillDawn
Post
Cancel

Elmariachi-PC Writeup PwnTillDawn

image

> Information Gathering
Fire nmap as usual, and from the scan we can see port 445 (smb), 3389 (rdp) & 60000 (ThinVnc). The first two ports are common on windows environments but the other port 60000 is something one hardly come across on default windows environments.
image

When we launched our browser and navigate to the high port http://10.150.150.69:60000/, an http-login prompt appeared on the browser. On the login form, there is message which is found right above the username field. The message says The site says: "ThinVnc".
image

Whenever i see something strange, the first thing i do perform a quick google search. searching for default credentials on ThinVnc lead to the discovery of an authentication bypass vulnerability which affects this application.
image

Reading the blog from Red Team Zone shows how we can manually grab credentials and bypass the http login form
image

To exploit this, we need to capture a request to the index page in burpsuite. Once the request is captured, we will forward it to repeater in burpsuite.
image

From the blog we read at Red Team Zone, it explains well that we need to send a request to /admin/../../ThinVnc.ini. ThinVnc stores login credentials in the ThinVnc.ini file and if we are able to reach this file, we will grab login credentials. After sending the request, we found valid credentials User=desperado & Password=TooComplicatedToGuessMeAhahahahahahahh.
image

We have a valid credentials, what can we do next? Let’s logon to the ThinVnc application with User=desperado & Password=TooComplicatedToGuessMeAhahahahahahahh
image

Credentials worked and we have access to the ThinVnc dashboard. unfortunately, there isn’t much we can do there. Looks like we hit a road block.
image

Going back to nmap, remember port 3389 (rdp) was open. What’s rdp?? Remote Desktop Protocol or RDP software provides access to a desktop or application hosted on a remote host. It allows you to connect, access, and control data and resources on a remote host as if you were doing it locally. Why don’t we try to connect to rdp using the credentials we found.

To connect to rdp, i typed the command xfreerdp /u:desperado /v:10.150.150.69 /p:TooComplicatedToGuessMeAhahahahahahahh +clipboard /dynamic-resolution.
image

> Post Exploitation

This target does not need post exploitation but to challenge yourself, why don’t you try to spawn a reverse shell on the target and find your way up to NT AUTHORITY\SYSTEM. Good luck researcher…:)

Reference: PwnTillDawn Online battlefield

This post is licensed under CC BY 4.0 by the author.