# Write-up

### <mark style="color:purple;">Task 1: Enumerating Ports (1-9999)</mark>

*<mark style="color:blue;">What is the highest port number being open less than 10,000?</mark>*

We start by running an **nmap** scan on ports 1-9999:

```bash
sudo nmap -p1-9999 <ip_victim>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeImgs0W9reK0UzPblSwk0l6I0cPUsEpxNbYS6eLaUutOBqMWU1y4ZX18PZAVjKztBIMqV1zsmEP7sXa0m-w7cix3Bhb4SFV_JLmkjx9Ho6E1SetExOQxIfHnGZWRHEkVXqqXEQSg?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt="" width="375"><figcaption></figcaption></figure>

<mark style="color:blue;">Answer:</mark> 8080

***

### <mark style="color:purple;">Task 2: Enumerating Ports (10000-65535)</mark>

*<mark style="color:blue;">There is an open port outside the common 1000 ports; it is above 10,000. What is it?</mark>*

To speed up the next scan, we add the **-T5** flag for aggressive timing:

```bash
sudo nmap -p10000-65535 -T5 <ip_victim>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfS_qj3RTiecr66fKRcHu48tf4z53gZNzUDxTs9S2UWNRbd3w0P-0EwOGpxnB49LJ3sKSmvaX9fbl7pY6pbF-SlM35LPbIKnT1_v9A8mSKOaD7NztV9acegpY9kYkoBewiA2SS3Iw?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt="" width="375"><figcaption></figcaption></figure>

<mark style="color:blue;">Answer:</mark> 10021

***

### <mark style="color:purple;">Task 3: Counting Open Ports</mark>

*<mark style="color:blue;">How many TCP ports are open?</mark>*

Using the results from the previous scans, we simply count the number of open ports found to answer this question.

<mark style="color:blue;">Answer:</mark> 6

***

### <mark style="color:purple;">Task 4: Finding the HTTP Service</mark>

*<mark style="color:blue;">What is the flag hidden in the HTTP server header?</mark>*

The HTTP service is hosted on port **80**. We visit the web page at:

```bash
http://<ip_victim>:80
```

In the browser's developer tools (Network tab), we find the flag displayed on the right side.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdcHEhladHhlhes5Hz5cOuh-BBNh7ueft4KjEghRFx_XsgvTl4HNWrHMsLSx7zFoCA6s7zSQ0oN-IFQ83u9eVkd_KquEyhI-EmTlg-xnszO_AGmBZtv-g3yeVfBOj3uGhWxlOe2?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt="" width="375"><figcaption></figcaption></figure>

***

### <mark style="color:purple;">Task 5: Checking SSH via Telnet</mark>

*<mark style="color:blue;">What is the flag hidden in the SSH server header?</mark>*

For the next task, we need to verify SSH connectivity using **telnet**:

```bash
telnet <ip_victim> 22
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcUtthmL1u5aRsdjDVuoIxGtwxn_46RTfTI9Cpvd2_WMxrrEZybaGeDgQBa-vLJHtLuUNagUxB6GI-ANYkvfSxvt90gk5zsbpXK6LgaIOBeG2mYxYr65JVkuhqQKdoKda2z5oLFGw?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt="" width="375"><figcaption></figcaption></figure>

***

### <mark style="color:purple;">Task 6: Investigating FTP on Port 10021</mark>

*<mark style="color:blue;">We have an FTP server listening on a nonstandard port. What is the version of the FTP server?</mark>*

Among the discovered ports, **10021** is marked as unknown. Let's run another **nmap** scan to investigate further:

```bash
sudo nmap -sV -p10021 <ip_victim>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfpL2MQLPxJvZcvyAQ4HriKCeaLL1-YKkMXm1ao723kVlx8bfLV3cED3QVW1kdXF5vhIGdCtqSzYL-e0EBo2T803v8Ov3Lep9g0vaz7MP28K8XfOarsM13SrGsCY7rac2vWHnVovw?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt="" width="375"><figcaption></figcaption></figure>

***

### <mark style="color:purple;">Task 7: Brute-Forcing FTP Credentials</mark>

*<mark style="color:blue;">We learned two usernames using social engineering: eddie and quiin. What is the flag hidden in one of these two account files and accessible via FTP?</mark>*

To brute-force the FTP credentials, we use **`Hydra`** with the **rockyou.txt** wordlist. We start with the user **eddie**:

```bash
hydra -l eddie -P /usr/share/wordlists/rockyou.txt ftp://<ip_victim>:10021
```

We found the password; however, there was no content in the FTP directory. Let's try the other user **quinn**:

```bash
hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://<ip_victim>:10021 -v
```

This attempt is successful.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcZ96qzhcp014igY6cirTa23YkNl-zw5xdER-nvnWdRwgod2zFz31_X0vnWlcafVLKXw-DfdyJ925zR4u6bq1HFGSFAtALDscq1Q6dkKTV5n1yuo5d5fmGel3ATNVRZJ_JBl6qJZQ?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf_SKHvHDPEosXbPqouUwhDv6Ar5vDbt4kiyE59eNBzenEOrnsxnzjPiv8sVDwZdsV3Hi2mYYG-pW-1eL1bp5izKZYcmLrf2kI8i-G6pPJEEQEtN0j1nR8zceogYhwQhYrzFKrVFA?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt=""><figcaption></figcaption></figure>

### <mark style="color:purple;">Task 8: Stealth Scanning for the Final Flag</mark>

*<mark style="color:blue;">Browsing to <http://MACHINE\\_IP:8080> displays a small challenge that give you a flag once you solve it. What is the flag?</mark>*

For the final task, we access the web service on port **8080**:

```bash
http://<ip_victim>:8080
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcErD39Z91bMSIAJobFD1u48SfxiAa-VBN6c4HmaEhv6Zxfh4qBX9J8Vk9qJHHvN2fVppA9NSHovpluql80TQzV7pcAV5d4ajTpJi-NapPKjm-06_J95fNdffBF_D6W6mpR1Dm5-A?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt=""><figcaption></figcaption></figure>

We are instructed to perform a cautious scan to avoid detection by the IDS. To achieve this, we use a null scan:

```bash
sudo nmap -sN <ip_victim>
```

After the scan completes, we revisit the web page to find the final flag.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc8eUQhBuJNic-SUTeeuEd3tSojpAn-Zo_F0BmvbDRyAaS5QHBDAFh2RMmeyFKXYKHaU40LT6BRLXKwQWiwUHEZ5SA4Ie4yr70qc0iZABzOq3xuOqHrpq3fJ1y7QcOZT9jRy_vvfQ?key=E-EmvjtgDhx2M9hAjQ6keAP8" alt=""><figcaption></figcaption></figure>