TryHackMe: Net Sec Challenge Write-up

Onur Alp Akin
3 min readApr 11, 2023

Check out the Net Sec Challenge room on TryHackMe

Original Publish Date: Sep 29, 2022

After the virtual machine boots up, I start by scanning it with nmap and piping it to a file (tee -a <file>) (in case I need to look at the results again)

Arguments I’m using:

For verbosity -vv

For as much information as possible (version scanning) -A

For the fastest timing policy (also the loudest) -T5

Scan all ports -p-

So the final command would look like this:

nmap -vv -A -T5 -p- | tee -a nmap_results
Nmap results
Nmap results

2.1 — What is the highest port number, being open less than 10,000?

As we can see from the results, it’s where an HTTP node.js server resides.

2.2 — There is an open port outside the common 1000 ports; it is above 10,000. What is it?

Taking a look at the results, there’s only one open port above 10k.

2.3 — How many TCP ports are open?

There are 6 open ports.

2.4 — What is the flag hidden in the HTTP server header?

By running the nmap command above, the flag would be on the right side of lighttpd string.

2.5 — What is the flag hidden in the SSH server header?

It would be under fingerprint-strings in results.

2.6 — We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

By scanning the version info of the port above 10k, we can conclude its version vsftpd x.x.x

2.7 — We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

Firing up hydra like:

hydra -l quinn -P /usr/share/wordlists/rockyou.txt


hydra -l eddie -P /usr/share/wordlists/rockyou.txt

where -l would be username, -P is password list to use and string is like <protocol>://<host>:<port>

Running the command gives us passwords for ftp

Hydra results
Hydra results

Now using ftp client to connect found accounts with the command:

ftp -P 10021

and listing files/directories with


We can see which account has the flag.

Image of the command line
This account does not have it

Connecting the other account and getting the flag to our computer, so we can cat it.

Found the flag
Read the flag

2.8 — Browsing to http://MACHINE_IP:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

After experimenting around and reading about evasion techs for nmap I found that this command works decent (note that is the virtual machine's IP):

nmap -vv -f -D RND:5 -T3 -sN

Set verbosity to very verbose -vv

Use tiny fragmented IP packets -f

Decoy scan with random IPs (RND:5) -D

Set timing to normal -T3

Stealth null scan -sN

Nmap completes and our flag appears on the website!