Basic Reconnaissance: (nmap)

It is not necessary to scan all ports, but it is useful in some cases.
Below is the nmap command to scan all Ports in a manner.

nmap -sC -sV -p- 10.10.85.107

nmap -sC -sV -p- 10.10.85.107
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 17:33 IST
Nmap scan report for 10.10.85.107 (10.10.85.107)
Host is up (0.19s latency).
Not shown: 65529 closed tcp ports (conn-refused)
_____________________________________________________________________________
PORT      STATE SERVICE     VERSION
_____________________________________________________________________________
22/tcp    open  ssh         (protocol 2.0)
| ssh-hostkey: 
|   3072 da5f69e2111f7c6680896154e87b16f3 (RSA)
|   256 3f8c0946ab1cdfd73583cf6d6e177e1c (ECDSA)
|_  256 eda93aaa4c6b16e60d437546fb33b229 (ED25519)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-OpenSSH_8.2p1 THM{946219583339}
_____________________________________________________________________________
80/tcp    open  http        lighttpd
|_http-server-header: lighttpd THM{web_server_25352}
|_http-title: Hello, world!
_____________________________________________________________________________
139/tcp   open  netbios-ssn Samba smbd 4.6.2
_____________________________________________________________________________
445/tcp   open  netbios-ssn Samba smbd 4.6.2
_____________________________________________________________________________
8080/tcp  open  http        Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
_____________________________________________________________________________
10021/tcp open  ftp         vsftpd 3.0.3
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.93%I=7%D=5/4%Time=6453A483%P=x86_64-pc-linux-gnu%r(NULL,
SF:29,"SSH-2\.0-OpenSSH_8\.2p1\x20THM{946219583339}\r\n");
Service Info: OS: Unix
_____________________________________________________________________________
Host script results:
| smb2-time: 
|   date: 2023-05-04T12:26:50
|_  start_date: N/A
|_nbstat: NetBIOS name: NETSEC-CHALLENG, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1404.23 seconds

Task 2 — Challenge Questions

1. What is the highest port number being open less than 10,000?

Ans: 8080

2. There is an open port outside the common 1000 ports; it is above 10,000. What is it?

For this, we have to perform an nmap scan to scan ports above 10000

Ans: 10021

3. How many TCP ports are open?

Ans: 6

4. What is the flag hidden in the HTTP server header?

Ans: THM{web_server_25352}

5. What is the flag hidden in the SSH server header?

Ans: THM{946219583339}

6. We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

Ans: vsftpd 3.0.3

7. We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

We have to Bruteforce the password of these 2 Usernames using Hydra

Username: Eddie 
Password: jordan

Username: quinn
Password: andrea

Let’s Login with the Credentials using Telnet

1. ftp <MACHINE-IP> <PORT-NUMBER>
2. eddie
3. jordan
4. ls

We found a file which has the flag, so let’s open the file using the command fget ftp_flag.txt

Ans: Answer is below the filezilla method