THM-Net Sec Challenge-Writeup
Practice the skills you have learned in the Network Security module.
For Quick Answer
Find This Room: Net Sec Challenge
This is a write-up on Net Sec Challenge, a challenge on TryHackMe to test network security skills. The following tools: nmap, telnet, and hydra are mainly used for this challenge.
since I need a port number less than 10,000, I performed the most basic Nmap scan of the target by running the command below. Nmap by default scans all port numbers between 1 and 1024.
nmap 10.10.241.18
result of Nmap scan
2.2 There is an open port outside the common 1000 ports; it is above 10,000. What is it?
Nmap by default scans all port numbers between 1 and 1024. In order to scan other ports, I make use of the -p- flag, which tells Nmap to scan all ports.
NB: There are 65,535 possible port numbers, so bear with the process, a scan for all ports would take a reasonable amount of time!
Nmap uses normal -T3 by default, however, in my scan, I use -T4 which is faster. And —vv for increased verbosity to get more details on the scanning process.
run the following
nmap -p- -T4 -vv 10.10.241.18After the scan is complete, I obtain results. Note that something interesting is 65,254 of the total ports are closed and 275 ports are filtered. The filtered ports could be because of a firewall.
result of Nmap scan
2.3 How many TCP ports are open?
From the previous scan, I obtain the number of open ports.
2.4 What is the flag hidden in the HTTP server header?
From the previous scan in 2.1, I know that an HTTP server is running on port 80. I can therefore run a more detailed scan solely on port 80 to identify the service details that have been exposed. -sV flag would probe to determine service info and -sC is equivalent to --script=default which would identify HTTP header
run the command below
nmap -sV -sC -T4 -p80 10.10.241.18
result of Nmap scan
2.5 What is the flag hidden in the SSH server header?
I repeat the same step from 2.4 above. The only difference, in this case, is that the port number would change because SSH runs on port 22 and not port 80.
nmap -sV -sC -T4 -p22 10.10.241.18
result of Nmap scan
2.6 We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
Remember the non-standard port with an unknown service found in 2.2? By investigating the port, I find out that an FTP server is indeed running on that port.
nmap -sV -sC -T4 -p10021 10.10.241.182.7 We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
Since I have been given usernames, I would have to brute-force the passwords with hydra. I create a list that contains the 2 usernames.
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ftp://10.10.151.126:10021Since this is a brute force attack, it might take time to guess the correct match as there are millions of combinations to obtain the right pair.
result of hydra brute force
2.8 Browsing to http://10.10.241.18:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
to avoid being detected, I tried a combination of flags. I used a decoy scan to hide my IP address and a null scan to probe for open ports. The -D flag would prevent the IDS from knowing which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.
sudo nmap -D 10.10.0.1,10.10.0.2,IP -T4 -sN 10.10.132.193NB: IP => should be replaced with your own IP address
Thanks for following this far, I hope this write up did provide some insight into the challenge. Until the next write-up, see you!
