Walkthrough

Host Discovery

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

$ sudo nmap <redacted-ip> -sn -oA host -PE --packet-trace --disable-arp-ping 

Initially, I was confused about how to determine the operating system from the result. After some research, I learned that the time-to-live (TTL) value in an ICMP reply can give a strong indication.

• Windows systems typically use an initial TTL of 128.
• Linux/Unix systems typically use 64.
• Some network devices use 255.

This clue helps narrow down the OS.

Host and Port Scanning

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

sudo nmap -p- <redacted-ip>

The number of open TCP ports is the answer.

Enumerate the hostname of your target and submit it as the answer (case-sensitive).

At first, I wasn’t sure how to find the hostname. It turns out that running the -sC scan, which uses Nmap’s default scripts, reveals this information.

The -sC option runs a curated list of scripts that the Nmap authors consider useful, safe, and quick.

sudo nmap -sC <redacted-ip>

The hostname can be found in the smb-os-discovery result.

Saving the Results

Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.

sudo nmap <redacted-ip> -oX target.xml

To convert the XML into HTML:

xsltproc style.xsl target.xml > output.html

To render it directly in the terminal (Linux):

lynx output.html

Service Enumeration

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

sudo nmap -sV -p22,80,110,139,143,445,31337 <redacted-ip>

Nmap Scripting Engine

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

I followed the methods outlined in the module as a guide.

First attempt:

sudo nmap <redacted-ip> -p 80 -A

No useful result.

Second attempt:

sudo nmap <redacted-ip> -p 80 -sV --script vuln 

This time, I saw an interesting reference to a robots.txt file.

curl http://<redacted-ip>/robots.txt

And there it was — the flag.

Firewall and IDS/IPS Evasion – Easy Lab

Our client wants to know if we can identify which operating system their machine is running. Submit the OS name as the answer.

We want to discover the OS quietly.

sudo nmap -O --disable-arp-ping -Pn <redacted-ip>

Since this is run as root, it defaults to an -sS (stealth) scan. No results were returned.

This strongly suggests a firewall is blocking our attempts. Since this was a quiet scan, there were 0 alerts triggered.

Next, I tried the method from the earlier exercise:

sudo nmap -sn -PE --packet-trace --disable-arp-ping <redacted-ip>

Again, I looked at the TTL values:

• Windows = 128
• Linux/Unix = 64
• Network devices = 255

This revealed the OS is Linux.

Now, to learn the Linux distribution, I scanned for service versions:

sudo nmap -sV -p22,80,110,139,143,445,10001 --disable-arp-ping -Pn <redacted-ip>

Voila!

Firewall and IDS/IPS Evasion – Medium Lab

After transferring configurations, the client wants to know if it’s possible to find out the target’s DNS server version. Submit the DNS server version as the answer.

DNS typically runs on port 53.

sudo nmap -sV -p53 --disable-arp-ping -Pn <redacted-ip>

The port appeared closed. A closed port means our SYN packet received a RST + ACK response.

I then noticed the note:

To successfully solve the exercise, we must use the UDP protocol on the VPN.

So I retried with UDP:

sudo nmap -sUV -p53 --disable-arp-ping -n -Pn <redacted-ip>

Firewall and IDS/IPS Evasion – Hard Lab

The client now wants to know if it’s possible to identify the version of a specific running service. Submit the flag as the answer.

Hint: The client mentioned they had to add a service critical for handling large amounts of data.

First, I scanned to see what new services were present:

sudo nmap -sV -Pn --disable-arp-ping <redacted-ip>

I noticed Port 50000.

Next, I tried connecting with netcat:

ncat -nv --source-port 53 <redacted-ip> 50000

This failed locally on my ParrotOS terminal, so I switched to the Pwnbox. I initially hit a “permission denied” error, but running it with sudo worked:

sudo ncat -nv --source-port 53 <redacted-ip> 50000