Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Net Sec Challenge" System

Purpose of the Report

This document provides a detailed technical assessment of the target system used in the challenge. The objective is to outline, in a structured manner, the vulnerabilities identified and the methodologies applied to extract the required flags. Additionally, the report offers insights into the tactics employed, from initial reconnaissance to IDS evasion.

Methodology

The security evaluation was performed in the following phases:

  1. Reconnaissance: Identification of open ports and running services using automated scanning tools.

  2. Enumeration: Verification of service details, counting available ports, and accessing exposed web interfaces.

  3. Exploitation: Utilizing brute-force techniques to gain unauthorized access to services.

  4. Stealth Techniques: Executing IDS-evasive scanning to prevent detection.

Detailed Findings

1. Reconnaissance

Tool Used: nmap Command Executed:

sudo nmap -p1-9999 <target_ip>

Description: A comprehensive scan of ports 1 through 9999 was conducted to detect open services.

Results:

  • Port 22: SSH Service

  • Port 80: HTTP Service

  • Port 139: netbios-ssn Service

  • Port 445: microsoft-ds Service

  • Port 8080: http-proxy Service

Impact: These open ports indicate potential entry points for an attacker. Given that port 80 serves a web application, it was prioritized for analysis.

2. Extended Port Enumeration

Tool Used: nmap Command Executed:

sudo nmap -p10000-65535 -T5 <target_ip>

Results: Additional ports were confirmed as active, allowing for a complete service map.

Impact: Knowledge of all open ports was crucial to prioritize subsequent testing phases.

3. Web Service Exploration

Observation:

  • The HTTP service running on port 80 was accessed via a web browser at http://<target_ip>:80.

  • Using the browser console, specifically the network section, a flag was identified.

Impact: The web interface provided an early indicator of sensitive information hosted on the target.

4. SSH Service Verification

Tool Used: Telnet Command Executed:

telnet <target_ip> 22

Description: A basic connection attempt to the SSH service on port 22 was performed to confirm its availability.

Results: SSH service was responsive, though not further exploited in this exercise.

Impact: Confirms multiple entry points that could be used for lateral movement.

5. FTP Service Identification and Brute-Force Exploitation

Service Discovery:

  • Among the discovered ports, port 10021 was flagged as “unknown.”

  • A version scan was conducted:

sudo nmap -sV -p10021 <target_ip>

Findings: The service on port 10021 was identified as an FTP service.

  • Brute-Force Attempt 1:

    hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://<target_ip>:10021

    Result: Successfull login but nothing important to see.

  • Brute-Force Attempt 2:

    hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://<target_ip>:10021 -v

    Result: Successful authentication.

Post-Exploitation:

  • Established FTP connection and retrieved the file ftp_flag.txt.

Impact: Demonstrates how weak credentials can be exploited to access sensitive files

6. IDS Evasion and Final Scanning

Objetive: Perform a stealthy scan to avoid triggering the Intrusion Detection System (IDS).

Tool Used: nmap Command Executed:

sudo nmap -sN <target_ip>

Description: A null scan was employed to send packets with no flags set, minimizing the chance of IDS detection.

Results: Accessing http://<target_ip>:8080 via a web browser after the scan revealed additional content, thereby fulfilling the final challenge requirement.

Impact: Showcases the importance of stealth scanning when operating under active monitoring conditions.

Recommendations

Short-Term Actions

  • Harden network perimeter configurations to restrict access to non-essential services.

  • Enforce strong authentication mechanisms to mitigate brute-force attacks.

  • Review and update IDS/IPS configurations to detect non-traditional scanning methods.

Long-Term Actions

  • Regularly perform security audits and vulnerability assessments to uncover misconfigurations and weak credentials.

  • Implement continuous monitoring solutions to proactively detect suspicious activity.

  • Educate system administrators on the importance of minimizing exposed services and enforcing robust password policies.

Conclusion

The challenge was successfully completed by systematically applying reconnaissance, enumeration, and exploitation techniques. Each phase—ranging from initial port scanning to stealthy IDS evasion—was crucial in uncovering the required flags and highlights the risks associated with exposed and weakly secured services. Addressing the identified vulnerabilities through the outlined recommendations will significantly improve the overall security posture.

PreviousWrite-upNextExecutive Report

Last updated