Open in app

Sign in

Write

Sign in

TryHackMe: Net Sec Challenge Write-up

Onur Alp Akin
3 min readApr 11, 2023

Check out the Net Sec Challenge room on TryHackMe

Original Publish Date: Sep 29, 2022

After the virtual machine boots up, I start by scanning it with nmap and piping it to a file (tee -a <file>) (in case I need to look at the results again)

Arguments I’m using:

For verbosity -vv

For as much information as possible (version scanning) -A

For the fastest timing policy (also the loudest) -T5

Scan all ports -p-

So the final command would look like this:

nmap -vv -A -T5 -p- 10.10.35.177 | tee -a nmap_results
Nmap results
Nmap results

2.1 — What is the highest port number, being open less than 10,000?

As we can see from the results, it’s where an HTTP node.js server resides.

2.2 — There is an open port outside the common 1000 ports; it is above 10,000. What is it?

Taking a look at the results, there’s only one open port above 10k.

2.3 — How many TCP ports are open?

There are 6 open ports.

2.4 — What is the flag hidden in the HTTP server header?

By running the nmap command above, the flag would be on the right side of lighttpd string.

2.5 — What is the flag hidden in the SSH server header?

It would be under fingerprint-strings in results.

2.6 — We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

By scanning the version info of the port above 10k, we can conclude its version vsftpd x.x.x

2.7 — We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

Firing up hydra like:

hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://10.10.110.109:10021

and

hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://10.10.110.109:10021

where -l would be username, -P is password list to use and string is like <protocol>://<host>:<port>

Running the command gives us passwords for ftp

Hydra results
Hydra results

Now using ftp client to connect found accounts with the command:

ftp 10.10.35.177 -P 10021

and listing files/directories with

ls

We can see which account has the flag.

Image of the command line
This account does not have it

Connecting the other account and getting the flag to our computer, so we can cat it.

Found the flag
Read the flag

2.8 — Browsing to http://MACHINE_IP:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

After experimenting around and reading about evasion techs for nmap I found that this command works decent (note that 10.10.110.109 is the virtual machine's IP):

nmap -vv -f -D RND:5 -T3 -sN 10.10.110.109

Set verbosity to very verbose -vv

Use tiny fragmented IP packets -f

Decoy scan with random IPs (RND:5) -D

Set timing to normal -T3

Stealth null scan -sN

Nmap completes and our flag appears on the website!

Further reading:

Firewall/IDS Evasion and Spoofing

How can the nmap tool be used to evade a firewall/IDS?

Thanks for reading.

--

--

Onur Alp Akin

Written by Onur Alp Akin

8 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams