After the virtual machine boots up, I start by scanning it with
nmap and piping it to a file (
tee -a <file>) (in case I need to look at the results again)
Arguments I’m using:
For as much information as possible (version scanning)
For the fastest timing policy (also the loudest)
Scan all ports
So the final command would look like this:
nmap -vv -A -T5 -p- 10.10.35.177 | tee -a nmap_results
2.1 — What is the highest port number, being open less than 10,000?
As we can see from the results, it’s where an HTTP node.js server resides.
2.2 — There is an open port outside the common 1000 ports; it is above 10,000. What is it?
Taking a look at the results, there’s only one open port above 10k.
2.3 — How many TCP ports are open?
There are 6 open ports.
2.4 — What is the flag hidden in the HTTP server header?
By running the
nmap command above, the flag would be on the right side of
2.5 — What is the flag hidden in the SSH server header?
It would be under
fingerprint-strings in results.
2.6 — We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
By scanning the version info of the port above 10k, we can conclude its version
2.7 — We learned two usernames using social engineering:
quinn. What is the flag hidden in one of these two account files and accessible via FTP?
Firing up hydra like:
hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://10.10.110.109:10021
hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://10.10.110.109:10021
-l would be username,
-P is password list to use and string is like
Running the command gives us passwords for ftp
Now using ftp client to connect found accounts with the command:
ftp 10.10.35.177 -P 10021
and listing files/directories with
We can see which account has the flag.
Connecting the other account and getting the flag to our computer, so we can
2.8 — Browsing to
http://MACHINE_IP:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
After experimenting around and reading about evasion techs for
nmap I found that this command works decent (note that
10.10.110.109 is the virtual machine's IP):
nmap -vv -f -D RND:5 -T3 -sN 10.10.110.109
Set verbosity to very verbose
Use tiny fragmented IP packets
Decoy scan with random IPs (
Set timing to normal
Stealth null scan
Nmap completes and our flag appears on the website!