Write-up

Step-by-step guide on the approach taken to pwn the machine.

Task 1: Enumerating Ports (1-9999)

What is the highest port number being open less than 10,000?

We start by running an nmap scan on ports 1-9999:

sudo nmap -p1-9999 <ip_victim>

Answer: 8080

Task 2: Enumerating Ports (10000-65535)

There is an open port outside the common 1000 ports; it is above 10,000. What is it?

To speed up the next scan, we add the -T5 flag for aggressive timing:

sudo nmap -p10000-65535 -T5 <ip_victim>

Answer: 10021

Task 3: Counting Open Ports

How many TCP ports are open?

Using the results from the previous scans, we simply count the number of open ports found to answer this question.

Answer: 6

Task 4: Finding the HTTP Service

What is the flag hidden in the HTTP server header?

The HTTP service is hosted on port 80. We visit the web page at:

http://<ip_victim>:80

In the browser's developer tools (Network tab), we find the flag displayed on the right side.

Task 5: Checking SSH via Telnet

What is the flag hidden in the SSH server header?

For the next task, we need to verify SSH connectivity using telnet:

telnet <ip_victim> 22

Task 6: Investigating FTP on Port 10021

We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

Among the discovered ports, 10021 is marked as unknown. Let's run another nmap scan to investigate further:

sudo nmap -sV -p10021 <ip_victim>

Task 7: Brute-Forcing FTP Credentials

We learned two usernames using social engineering: eddie and quiin. What is the flag hidden in one of these two account files and accessible via FTP?

To brute-force the FTP credentials, we use Hydra with the rockyou.txt wordlist. We start with the user eddie:

hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://<ip_victim>:10021

We found the password; however, there was no content in the FTP directory. Let's try the other user quinn:

hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://<ip_victim>:10021 -v

This attempt is successful.

Task 8: Stealth Scanning for the Final Flag

Browsing to http://MACHINE_IP:8080 displays a small challenge that give you a flag once you solve it. What is the flag?

For the final task, we access the web service on port 8080:

http://<ip_victim>:8080

We are instructed to perform a cautious scan to avoid detection by the IDS. To achieve this, we use a null scan:

sudo nmap -sN <ip_victim>

After the scan completes, we revisit the web page to find the final flag.

PreviousNet Sec Challenge NextTechnical Report

Last updated 5 months ago