Q1: Launch the Attack Box and the target VM.
I started the machine and fired up my attack box, lets roll!
Task 2: Challenge Questions
Q1: What is the highest port number being open less than 10,000?
Usually on a box like this i use rustscan as it is much faster, but since the room eluded to nmap, hydra and telnet I figured I would stick to those tools for the challenge.
I decided to launch a full verbose nmap scan so I could maybe answer the questions as the scan was running.
nmap -vvvv -p- -T4 --stats-every 10 $ip
-vvvv : Give me lots of verbosity
-T4 : aggressive scan assumes a fast and reliable network
— stats-every 10 : this gives me a status update every 10 seconds
$ip : I usually do a set variable ip=10.10.10.10 to save typing so I can just reference the machine by $ip
Even though the scan was still running we should have enough information to make an educated guess on this.
Q2: There is an open port outside the common 1000 ports; it is above 10,000. What is it?
About 6 minutes into the scan this port above 10,000 popped up and solved question number 2.
Q3: How many TCP ports are open?
I don’t have any patience so I added up the ports that I currently had and submitted those numbers and I was correct ;)
The scan took about 20 minutes to complete with nmap
Q4: What is the flag hidden in the HTTP server header?
nc 10.10.10.10 80
Q5: What is the flag hidden in the SSH server header?
if we enable verbose logging when we ssh we should be able to see all of the ssh debug information.
ssh -v 10.10.10.10
Q6: We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
Spoiler alert, this is a port we found earlier in the challenge, the one that was higher than 10,000.
If you connect to the port with ftp or nc you will get the answer to the challenge question.
ftp 10.10.10.10. 10021nc 10.10.10.10 10021
either of the above will give the answer the question is looking for.
Q7: We learned two usernames using social engineering:
quinn. What is the flag hidden in one of these two account files and accessible via FTP?
After adding the users to a list I can use with hydra via the following.
echo eddie >> users.txt
echo quinn >>users.txt
Success we have the passwords for both users; eddie and quinn.
Q8: Browsing to
http://x.x.x.x:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
Browsing to the website you will see that you are already detected with 100% shown below.
Press the “reset packet count” and try something new.
By performing a nmap null scan we are able to bypass being detected and receive the flag.
nmap -sN 10.10.10.10
Thank you to strategos for such a fun room to use our put our nmap and hydra skills to use.