TryHackMe: Net Sec Challenge Write-up
Check out the Net Sec Challenge room on TryHackMe
Original Publish Date: Sep 29, 2022
After the virtual machine boots up, I start by scanning it with nmap
and piping it to a file (tee -a <file>
) (in case I need to look at the results again)
Arguments I’m using:
For verbosity -vv
For as much information as possible (version scanning) -A
For the fastest timing policy (also the loudest) -T5
Scan all ports -p-
So the final command would look like this:
nmap -vv -A -T5 -p- 10.10.35.177 | tee -a nmap_results
2.1 — What is the highest port number, being open less than 10,000?
As we can see from the results, it’s where an HTTP node.js server resides.
2.2 — There is an open port outside the common 1000 ports; it is above 10,000. What is it?
Taking a look at the results, there’s only one open port above 10k.
2.3 — How many TCP ports are open?
There are 6 open ports.
2.4 — What is the flag hidden in the HTTP server header?
By running the nmap
command above, the flag would be on the right side of lighttpd
string.
2.5 — What is the flag hidden in the SSH server header?
It would be under fingerprint-strings
in results.
2.6 — We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
By scanning the version info of the port above 10k, we can conclude its version vsftpd x.x.x
2.7 — We learned two usernames using social engineering: eddie
and quinn
. What is the flag hidden in one of these two account files and accessible via FTP?
Firing up hydra like:
hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://10.10.110.109:10021
and
hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://10.10.110.109:10021
where -l
would be username, -P
is password list to use and string is like <protocol>://<host>:<port>
Running the command gives us passwords for ftp
Now using ftp client to connect found accounts with the command:
ftp 10.10.35.177 -P 10021
and listing files/directories with
ls
We can see which account has the flag.
Connecting the other account and getting the flag to our computer, so we can cat
it.
2.8 — Browsing to http://MACHINE_IP:8080
displays a small challenge that will give you a flag once you solve it. What is the flag?
After experimenting around and reading about evasion techs for nmap
I found that this command works decent (note that 10.10.110.109
is the virtual machine's IP):
nmap -vv -f -D RND:5 -T3 -sN 10.10.110.109
Set verbosity to very verbose -vv
Use tiny fragmented IP packets -f
Decoy scan with random IPs (RND:5
) -D
Set timing to normal -T3
Stealth null scan -sN
Nmap completes and our flag appears on the website!
Further reading:
Firewall/IDS Evasion and Spoofing
How can the nmap
tool be used to evade a firewall/IDS?
Thanks for reading.