Footprinting and Scanning CTF 1
Overview¶
Host discovery using Nmap (Network Mapper) is a crucial step in network scanning to identify which hosts are up and running on a network. In this lab, we will learn a standard method to discover hosts using Nmap.
In this lab environment, you will be provided with GUI access to a Kali Linux machine. The target machine will be accessible at http://target.ine.local.
Writeup¶
Flag 1¶
The server proudly announces its identity in every response. Look closely; you might find something unusual.
┌──(root㉿INE)-[~]
└─# nmap --min-rate=10000 -p- target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-29 19:18 IST
Nmap scan report for target.ine.local (192.23.251.3)
Host is up (0.000030s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
143/tcp open imap
993/tcp open imaps
3306/tcp open mysql
33060/tcp open mysqlx
MAC Address: 02:42:C0:17:FB:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds
robots.txt file and anonymous FTP login. ┌──(root㉿INE)-[~]
└─# nmap -sC -sV -p 21,22,25,80,143,993,3306,33060 target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-29 19:18 IST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 87.50% done; ETC: 19:19 (0:00:07 remaining)
Stats: 0:00:51 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 87.50% done; ETC: 19:19 (0:00:07 remaining)
Stats: 0:01:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 87.50% done; ETC: 19:19 (0:00:10 remaining)
Nmap scan report for target.ine.local (192.23.251.3)
Host is up (0.000036s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.23.251.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 22 Oct 28 06:11 creds.txt
|_-rw-r--r-- 1 0 0 39 Mar 29 13:45 flag.txt
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a5:93:0f:6b:5a:77:f1:77:e8:2e:c9:31:e7:df:66:06 (ECDSA)
|_ 256 b6:0d:e4:92:36:30:79:b7:31:91:3b:a0:1f:c1:ee:85 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: localhost.members.linode.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2024-10-28T06:10:50
|_Not valid after: 2034-10-26T06:10:50
|_ssl-date: TLS randomness does not represent time
80/tcp open http Werkzeug/3.0.6 Python/3.10.12
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.6 Python/3.10.12
| Date: Sat, 29 Mar 2025 13:48:41 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 2557
| Server: FLAG1_e249f82ac58d477ea6933a3cca3654fd
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <link rel="shortcut icon" href="#">
| <title>CTF Challenge</title>
| <style>
| body {
| font-family: 'Arial', sans-serif;
| margin: 0;
| padding: 0;
| background-color: #1c1c1c;
| color: #fff;
| background-color: #333;
| padding: 15px;
| text-align: center;
| list-style: none;
| margin: 0;
| padding: 0;
| display:
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.6 Python/3.10.12
| Date: Sat, 29 Mar 2025 13:48:41 GMT
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, OPTIONS, GET
| Server: FLAG1_e249f82ac58d477ea6933a3cca3654fd
| Content-Length: 0
|_ Connection: close
|_http-title: CTF Challenge
| http-robots.txt: 3 disallowed entries
|_/photos /secret-info/ /data/
|_http-server-header: Werkzeug/3.0.6 Python/3.10.12
143/tcp open imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2024-10-28T06:10:50
|_Not valid after: 2034-10-26T06:10:50
|_imap-capabilities: LOGINDISABLEDA0001 ID IDLE IMAP4rev1 more have post-login LITERAL+ capabilities Pre-login OK ENABLE STARTTLS SASL-IR listed LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: OK ID IDLE IMAP4rev1 more have AUTH=PLAINA0001 post-login ENABLE capabilities SASL-IR LOGIN-REFERRALS Pre-login listed LITERAL+
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2024-10-28T06:10:50
|_Not valid after: 2034-10-26T06:10:50
3306/tcp open mysql MySQL 8.0.39-0ubuntu0.22.04.1
| ssl-cert: Subject: commonName=MySQL_Server_8.0.39_Auto_Generated_Server_Certificate
| Not valid before: 2024-10-28T06:11:13
|_Not valid after: 2034-10-26T06:11:13
| mysql-info:
| Protocol: 10
| Version: 8.0.39-0ubuntu0.22.04.1
| Thread ID: 43
| Capabilities flags: 65535
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, Speaks41ProtocolOld, Speaks41ProtocolNew, FoundRows, SwitchToSSLAfterHandshake, IgnoreSigpipes, SupportsLoadDataLocal, SupportsCompression, InteractiveClient, ConnectWithDatabase, SupportsTransactions, ODBCClient, LongColumnFlag, LongPassword, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: I\x7FQykeT\x0B
| mZ2Y/B0>\x10_`
|_ Auth Plugin Name: caching_sha2_password
|_ssl-date: TLS randomness does not represent time
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=3/29%Time=67E7FA39%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,ADD,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.6\x2
SF:0Python/3\.10\.12\r\nDate:\x20Sat,\x2029\x20Mar\x202025\x2013:48:41\x20
SF:GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\
SF:x202557\r\nServer:\x20FLAG1_e249f82ac58d477ea6933a3cca3654fd\r\nConnect
SF:ion:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\
SF:n\x20\x20\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20<meta\x20
SF:name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\.
SF:0\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20href=\"#\">\
SF:n\x20\x20\x20\x20<title>CTF\x20Challenge</title>\n\x20\x20\x20\x20<styl
SF:e>\n\x20\x20\x20\x20\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20font-family:\x20'Arial',\x20sans-serif;\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x200;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20background-color:\x20#1c1c1c;\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#fff;\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20}\n\n\x20\x20\x20\x20\x20\x20\x20\x20nav\x20{\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#333;\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x2015px;\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20text-align:\x20center;\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20}\n\n\x20\x20\x20\x20\x20\x20\x20\x20nav\x20ul\x
SF:20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20list-style:\x20non
SF:e;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x200;\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20}\n\n\x20\x20\x20\x20\x20\x20\x20\x20nav\x20ul\x20
SF:li\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20display:\x20")
SF:%r(HTTPOptions,F8,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.
SF:6\x20Python/3\.10\.12\r\nDate:\x20Sat,\x2029\x20Mar\x202025\x2013:48:41
SF:\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20HE
SF:AD,\x20OPTIONS,\x20GET\r\nServer:\x20FLAG1_e249f82ac58d477ea6933a3cca36
SF:54fd\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port33060-TCP:V=7.94SVN%I=7%D=3/29%Time=67E7FA39%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTT
SF:POptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSV
SF:ersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTC
SF:P,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCoo
SF:kie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNe
SF:g,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05
SF:HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDStri
SF:ng,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x
SF:01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x2
SF:0message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(Note
SF:sRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1
SF:a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,3
SF:2,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Inva
SF:lid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 02:42:C0:17:FB:03 (Unknown)
Service Info: Host: localhost.members.linode.com; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.63 seconds
e249f82ac58d477ea6933a3cca3654fd
Flag 2¶
The gatekeeper's instructions often reveal what should remain unseen. Don't forget to read between the lines. In the Nmap scan, we found a robots.txt file:
Let's see what it hides. http://target.ine.local/secret-info/flag.txt 03361405d8c3414595d078baaa74280b
Flag 3¶
Anonymous access sometimes leads to forgotten treasures. Connect and explore the directory; you might stumble upon something valuable.
Connect to FTP anonymously:
┌──(root㉿INE)-[~]
└─# ftp target.ine.local
Connected to target.ine.local.
220 (vsFTPd 3.0.5)
Name (target.ine.local:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||31916|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 22 Oct 28 06:11 creds.txt
-rw-r--r-- 1 0 0 39 Mar 29 13:45 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||48631|)
150 Opening BINARY mode data connection for flag.txt (39 bytes).
100% |***************************************************************************************************************************| 39 634.76 KiB/s 00:00 ETA
226 Transfer complete.
39 bytes received in 00:00 (94.50 KiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿INE)-[~]
└─# cat flag.txt
FLAG3_4915ed6ca218464e8a63ab6db486e907
4915ed6ca218464e8a63ab6db486e907 Flag 4¶
A well-named database can be quite revealing. Peek at the configurations to discover the hidden treasure.
Check the credentials in the FTP:
┌──(root㉿INE)-[~]
└─# mysql -h target.ine.local -u db_admin -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 56
Server version: 8.0.39-0ubuntu0.22.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+----------------------------------------+
| Database |
+----------------------------------------+
| FLAG4_4814c791c6794a23a37a069453be041e |
| information_schema |
| mysql |
| performance_schema |
| sys |
+----------------------------------------+
5 rows in set (0.002 sec)
MySQL [(none)]>
4814c791c6794a23a37a069453be041e