ElMariachi-PC ~ PwnTillDawn Walkthrough

Astik Rawat
3 min readMar 27, 2021

--

Hi, I am Astik Rawat, and I hope everyone is doing good. Here is my walkthrough for Host 69 (FLAG67) from PwnTillDawn. I will go straight into it, I hope you learn something from it.

PwnTillDawn

After connecting the VPN and pinging the host I scanned all the open ports on the host using Nmap as follows:

Nmap All Ports

I found few known ports are open and few higher ports are open, so I decided to check the running services on all the open ports.

Nmap: Services Version and Scripts

After the scan finished I saw nothing much relevant from the known ports than basic information about the target. But for port 60000, I found something interesting. So, First I visited the target with port 60000 and found out I need credentials to log into it.

So I searched for ThinVNC exploits on searchsploit and found one but it didn’t work, so I started to look on open source websites and Metasploit while making changes to the exploit I found through Searchsploit.

The one that worked for me was the exploit I found on Metasploit.

msfconsole

I changed all the necessary options on it to check if it worked

msfconsole

Then I just ran the exploit and voilà it worked perfectly and I received the user credentials.

Credentails Dump

Then I went to Rdesktop and tried to log into the user with the credentials and then I found the FLAG67 on the Desktop.

Flag67

Alternative: Instead of Using Rdesktop to login, we can also use the browser and access the target with 60000 port and enter the credetails. ThinVNC is a web remote desktop.

Flag67

I hope you enjoy this walkthrough and get to learn something new.

Also, I would like to give credits to Wixlynx and PwnTillDawn for such an amazing free platform to sharpen your pen-testing skills.

If you enjoyed this walkthrough and are looking for more in the future, please follow me and connect with me on LinkedIn.

LinkedIn: https://www.linkedin.com/in/astikrawat/

--

--

Astik Rawat

Security Consultant | SRT Researcher | OSEP | OSWE | CRTO | OSCP | OSWP | CRT | BSCP | PNPT | eMAPT | PJPT | CPENT | eJPT | CEH Master | CPSA | OSCC | 9xCVE