My thoughts

I enjoyed this lab, and I particularly liked that there were multiple working solutions to the final challenge question, just like there would be different ways of accomplishing the same goal on a real machine. The majority All of my experience is in web application security and admittedly, I did this lab to start venturing outside of my comfort zone with decent results!

Task 1: Introduction

There’s nothing to do here other than to click on the button titled “Start Machine”. The instructions will explain the tools you will be using and it is pretty straight forward.

Task 2: Challenge Questions

Q: What is the highest port number being open less than 10,000?

I simply did a portscan for all ports with “nmap -p- -v” It found what I was looking for rather quickly!

Q: There is an open port outside the common 1000 ports; it is above 10,000. What is it?

Killing two birds with one stone, the same scan I performed above yielded the proper result, although slowly.

Q: How many TCP ports are open?

Again, the first scan answers this question. All you have to do is count the number of times an open port was discovered!

Q: What is the flag hidden in the HTTP server header?

There are a couple of ways to answer this question. My initial thought was to use telnet and send a get request to a random file on the web server, but I was doing too much work. The easiest way is to stay within nmap and run something like “nmap -p80 -sC -sV“. This will output what is needed by running service detection on port 80. This yielded the proper flag.

Q: What is the flag hidden in the SSH server header?

You can run the same exact command, just change the port number for the proper SSH port. You can laugh at me now for the fact that when I first went through this challenge, I used telnet to access each service before realizing how much extra work I was doing. The command is “nmap -p22 -sC -sV“, by the way!

Q: We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

You can use the same command as above for the port, but the “sC” switch is not needed; we just want version. This looks like "nmap -p***** -sC -sV” I censored the port number because it’s an answer to a previous challenge question.

Q: We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

Oh yeah! It’s time to have some fun. We previously discovered the open FTP port from question #2. We know two usernames, so it’s time to run hydra on them. Once we have the credentials for both usernames, we’ll login using FTP and poke around for the proper flag file. Firstly, we will discover the credentials for the two listed accounts by running “hydra -l eddie -P /usr/share/wordlists/rockyou.txt -s *****” and “hydra -l quinn -P /usr/share/wordlists/rockyou.txt -s *****” – I’ve censored that port number again. You’ll get a result as so:

Once you have your result for both accounts, try connecting to FTP using both of them. You will then look for and obtain the flag file on the FTP server. This is a multi-step process and you’ll need to try both accounts.

  1. Connect using “ftp *****
  2. Login using the username and password obtained from hydra
  3. Type “ls” to see if the flag file is present.
  4. If it is present, use “get ftp_flag.txt” to obtain it. If it isn’t, try the other account.
  5. Type “exit” to drop back to your local shell.
  6. Type “cat ftp_flag.txt” to display the flag.

Q: Browsing to displays a small challenge that will give you a flag once you solve it. What is the flag?

The purpose of this challenge is to use nmap in such a way that it doesn’t trigger any sort of automated intrusion detection system. There are a few different techniques to do this, including slow scanning, which was my first thought. However, you can gain a quicker flag using a TCP Null Scan with “nmap -sN

Would you like to try?

This challenge is available to subscribers at – it was pretty fun and I recommend it! If you’d like to teach yourself offensive cybersecurity, you can get a premium subscription of TryHackMe for $5 off using this link – you’re welcome (awoo)!

TryHackMe Writeup: Net Sec Challenge
Tagged on:                     
Notify of

0 Barks
Inline Feedbacks
View all barks