, , , ,
NetSec Module

Day 049 #FromZeroToHacker – Net Sec Challenge Writeup

Time to put into practice all the skills we have learnt in this Network Security module!

Let’s write about this #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Net Sec Challenge

This challenge will test our mastery of the skills we have acquired in the Network Security module. All the questions in this challenge can be solved using only nmaptelnet, and hydra.

This is the ninth and last lesson of the Network Security module:

  1. Passive Reconnaissance
  2. Active Reconnaissance
  3. Nmap Live Host Discovery
  4. Nmap Basic Port Scans
  5. Nmap Advanced Port Scans
  6. Nmap Post Port Scans
  7. Protocols and Servers
  8. Protocols and Servers 2
  9. Network Security Challenge

What have I learnt today?

Challenge questions

  1. Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.
    No answer needed

I’m lazy, and I don’t want to repeat the same IP over and over, so I’m going to store the IP as a variable with IP=<TARGET_IP>. Now, I can invoke the IP with $IP in the terminal anytime.

Let’s solve those questions:

1- What is the highest port number being open less than 10,000?
nmap $IP -p1-10000 -sS -T4

2- There is an open port outside the common 1000 ports; it is above 10,000. What is it?
nmap $IP -p0- -v -T4

3- How many TCP ports are open?
Count all the TCP of your scan (the ones under and over 10.000).

4- What is the flag hidden in the HTTP server header?
Connect to the HTTP server (port 80) via Telnet, then request the index.html file:
telnet $IP 80.

To ask for the index.html file, after the connection is established, use:

GET /index.html HTTP/1.1
host: telnet
Telnet connection

5- What is the flag hidden in the SSH server header?
telnet $IP 22 and read the header.

6- We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
telnet $IP 10021 and read the header.

7- We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
Let’s do a dictionary attack on both usernames with:
hydra -l <USERNAME> -P /rockyou.txt $IP ftp -s 10021

Cool, now we have both usernames. Let’s login via FTP:
FTP $IP 10021

Try both users, then download the filename with get <FILENAME>.

8- Browsing to http://10.10.47.91:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
Let’s use a slow but silent mode:
nmap $IP -sS -sV -T1

This could work, but after a minute of waiting the scan is 0.20% done. Let’s use a scan that doesn’t give away that we are scanning the server:
nmap $IP -sN to do a NULL scan

A FIN and XMAS scan would set up flags, while a NULL scan doesn’t.

Summary

A good way to put into practice what we have been learning in theory: Nmap scans, Telnet connections and Hydra dictionary attacks.

Stats

From 90.899th to 86.165th. Top 90.000, a nice feat to achieve!

Here is also the Skill Matrix:

Skills Matrix

Resources

Module: Network Security

TryHackMe: Protocols and Servers

Other resources

NULL scan