Intermediate Nmap — TryHackMe WriteUp

Can you combine your great nmap skills with other tools to log in to this machine?

You’ve learned some great nmap skills! Now can you combine that with other skills with netcat and protocols, to log in to this machine and find the flag? This VM MACHINE_IP is listening on a high port, and if you connect to it it may give you some information you can use to connect to a lower port commonly used for remote access!

This is the easiest machine I’ve ever worked on.

Started a Nmap scan. I found 3 open ports

└─$ nmap --min-rate 1000 -p- 10.10.194.180  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 19:20 EAT
Nmap scan report for 10.10.194.180
Host is up (0.29s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
2222/tcp  open  EtherNetIP-1
31337/tcp open  Elite

Next was a service scan on the open ports.

─$ nmap -p22,2222,31337 -A 10.10.194.180   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 19:22 EAT
Nmap scan report for 10.10.194.180
Host is up (0.32s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7d:dc:eb:90:e4:af:33:d9:9f:0b:21:9a:fc:d5:77:f2 (RSA)
|   256 83:a7:4a:61:ef:93:a3:57:1a:57:38:5c:48:2a:eb:16 (ECDSA)
|_  256 30:bf:ef:94:08:86:07:00:f7:fc:df:e8:ed:fe:07:af (ED25519)
2222/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:3a:b2:54:e4:68:06:a4:e5:5a:ed:c2:c0:82:7b:4b (RSA)
|   256 e7:fa:44:14:f4:ed:7c:15:2c:dd:fd:e1:f5:ab:e9:fa (ECDSA)
|_  256 3a:52:5c:da:09:64:28:b3:d4:95:50:2b:65:c5:7a:60 (ED25519)
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|     In case I forget - user:pass
|_    ubuntu:Dafdas!!/str0ng
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94%I=7%D=8/21%Time=64E38F31%P=aarch64-unknown-linux-g
SF:nu%r(NULL,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafda
SF:s!!/str0ng\n\n")%r(GetRequest,35,"In\x20case\x20I\x20forget\x20-\x20use
SF:r:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(SIPOptions,35,"In\x20case\x20I\x
SF:20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(GenericLines
SF:,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0n
SF:g\n\n")%r(HTTPOptions,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\n
SF:ubuntu:Dafdas!!/str0ng\n\n")%r(RTSPRequest,35,"In\x20case\x20I\x20forge
SF:t\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(RPCCheck,35,"In\x20
SF:case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(D
SF:NSVersionBindReqTCP,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nub
SF:untu:Dafdas!!/str0ng\n\n")%r(DNSStatusRequestTCP,35,"In\x20case\x20I\x2
SF:0forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(Help,35,"In\x
SF:20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r
SF:(SSLSessionReq,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:
SF:Dafdas!!/str0ng\n\n")%r(TerminalServerCookie,35,"In\x20case\x20I\x20for
SF:get\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(TLSSessionReq,35,
SF:"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\
SF:n")%r(Kerberos,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:
SF:Dafdas!!/str0ng\n\n")%r(SMBProgNeg,35,"In\x20case\x20I\x20forget\x20-\x
SF:20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(X11Probe,35,"In\x20case\x20
SF:I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(FourOhFou
SF:rRequest,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas
SF:!!/str0ng\n\n")%r(LPDString,35,"In\x20case\x20I\x20forget\x20-\x20user:
SF:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(LDAPSearchReq,35,"In\x20case\x20I\
SF:x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(LDAPBindReq
SF:,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0n
SF:g\n\n")%r(LANDesk-RC,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nu
SF:buntu:Dafdas!!/str0ng\n\n")%r(TerminalServer,35,"In\x20case\x20I\x20for
SF:get\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On enumerating the service

Nmap always uses ‘Elite’ service to run anything on port 31337

So I accessed it on a browser. It has a username and password

I used the credentials to access SSH on port 22. I managed to find my working directory. I shifted to /home where there was a /user directory. In it was our flag

─$ ssh ubuntu@10.10.194.180
ubuntu@10.10.194.180's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1014-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Aug 21 17:49:19 2023 from 10.18.6.139
$ pwd
/home/ubuntu
$ cd /home      
$ ls
ubuntu  user
$ cd user
$ ls -lah
total 16K
drwxr-xr-x 2 root root 4.0K Mar  2  2022 .
drwxr-xr-x 1 root root 4.0K Mar  2  2022 ..
-rw-rw-r-- 1 root root   38 Mar  2  2022 flag.txt
$ cat flag.txt  
flag{REDACTED}$

About the author

Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.

Follow me on:

Twitter, LinkedIn, Github