This Challenge test my skills that what I learned in the Network Security module. All the questions in this challenge can be solved using only nmap, telnet, and hydra.
![[NetSec2.png]](/_astro/NetSec2.BIE3Md7B_Z1SEO3D.webp)
1.What is the highest port number being open less than 10,000?
Ans: 8080
first what I do is use nmap for port scanning
run TCP connect scan using -sT
nmap -sT MACHINE_IP -v
add -v for some verbose
![[NetSec3.png]](/_astro/NetSec3.n-kqrjUq_Z2rQopS.webp)
2.There is an open port outside the common 1000 ports; it is above 10,000. What is it? Ans: 10021
This flag I get from using sudo nmap -sS MACHINE_IP -p1-65535 -v I add 1-p1-65535 because it is the best option if you want to be as thorough as possible. and -sS for faster scanning which require sudo privilege
3.How many TCP ports are open? Ans: 6
This one, I just guess from above nmap scan result which I discovered 6 TCP ports
![[NetSec4.png]](/_astro/NetSec4.CQttlw4v_ZsDqS6.webp)
4.What is the flag hidden in the HTTP server header? Ans: THM{web_server_25352}
This one I use telnet MACHINE_IP 80 and then use GET / HTTP/1.1 which will request page.html If you find that telnet method is way to hard you can use curl instead a lot easier
![[NetSec5.png]](/_astro/NetSec5.beIAK80w_Z1NULud.webp)
5.What is the flag hidden in the SSH server header? Ans: THM{946219583339}
This one I was confused at first cause the problem didn’t give us any username. After read some write up I found that we can see SSH server header by just use ssh MACHINE_IP -v to see the detail of SSH server header.
![[NetSec6.png]](/_astro/NetSec6.BU7YP_7u_1MeWsl.webp)
6.We have an FTP server listening on a nonstandard port. What is the version of the FTP server? Ans: vsFTPd 3.0.5
This problems I found by randomly check on the open port and I found that the port 10021 is unknown and I tried to connect with telnet MACHINE_IP 10021 and boom I got into FTP server with server information.
![[NetSec7.png]](/_astro/NetSec7.YnSjMNYR_Z2gAwX8.webp)
![[NetSec8.png]](/_astro/NetSec8.Cov3C0Pq_Z1Y8rpI.webp)
7.We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
Ans: THM{321452667098}
for this one first I use Hydra with hydra -l eddie -P /usr/share/wordlists/rockyou.txt 10.201.99.0 ftp -s 10021 we need to specific port using -s 10021 cause the ftp port is not a default port. and get the password of both user from the above picture.
now we enter ftp by ftp MACHINE_IP 10021 the flag is inside user quinn after we investigate the flag location here we use get to download the flag file and then exit now we use cat the open the file from our device and that how we got the flag.
![[NetSec9.png]](/_astro/NetSec9.BxCHi5fY_1wiMlx.webp)
This one is the challenge that we have to use Nmap to scan machine and as coverly as possible to avoid detection.
![[NetSec10.png]](/_astro/NetSec10.DYeBEdP8_Z1HxSjE.webp)
8.Browsing to http://10.201.99.0:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
Ans: THM{f7443f99}
The Final one is very challenging I spend like 1 hour and I really give up and decide to end my sanity draining by readuing some write-up and I see oh I can use nmap -sN MACHINE_IP so after I knew it I really feel guilty for pass this challenge easily so I start to find the way that maybe some other scan I didn’t try might work?
So I start trying many scan type -sF -sX -sM and many more with combination of -f -ff and T0-4 and still not working it maybe be detected 100% but still slightly get detected
I feel very bad that I can do only 6/8 by myself :(
But what I learned is I should be more meticulous and not rush to get the answer too much because it cause me to can’t solve the easy flag that I need to read some other fellow write-up
This Room really taught me many things and grow my mindset in penetration tester mindset!