NETWORK ENUMERATION W/ NMAP

HOST DISCOVERY

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

root@htb:~$ sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping 
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST
 SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
 RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
 Nmap scan report for 10.129.2.18
 Host is up (0.086s latency).
 MAC Address: DE:AD:00:00:BE:EF
 Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
 
 * the default TTL for windows is 128 while Linux uses 64

HOST & PORT SCANNING

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.2.49 -p-
 PORT      STATE SERVICE
 22/tcp    open  ssh
 80/tcp    open  http
 110/tcp   open  pop3
 139/tcp   open  netbios-ssn
 143/tcp   open  imap
 445/tcp   open  microsoft-ds
 31337/tcp open  Elite

Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

root@htb:~$ sudo nmap -sV -T4 10.129.2.49 -p 22,80,110,139,143,145,31337
 PORT      STATE  SERVICE     VERSION
 22/tcp    open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 80/tcp    open   http        Apache httpd 2.4.29 ((Ubuntu))
 110/tcp   open   pop3        Dovecot pop3d
 139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 143/tcp   open   imap        Dovecot imapd (Ubuntu)
 145/tcp   closed uaac
 31337/tcp open   Elite?
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port31337-TCP:V=7.94SVN%I=7%D=7/13%Time=68748579%P=x86_64-pc-linux-gnu%
 SF:r(GetRequest,1F,"220\x20HTB{pr0F7pDv3r510nb4nn3r}\r\n");
 Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

SAVING THE RESULTS

Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.

root@htb:~$ sudo nmap -sT -sV -sC -T4 10.129.5.221 -p- -oA 10.129.5.221Result
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
 |   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
 |_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
 80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 110/tcp   open  pop3        Dovecot pop3d
 |_pop3-capabilities: SASL CAPA PIPELINING TOP AUTH-RESP-CODE RESP-CODES UIDL
 139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 143/tcp   open  imap        Dovecot imapd (Ubuntu)
 |_imap-capabilities: ID LOGIN-REFERRALS ENABLE LITERAL+ IMAP4rev1 more have SASL-IR Pre-login listed LOGINDISABLEDA0001 IDLE capabilities OK post-login
 445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
 31337/tcp open  Elite?
 | fingerprint-strings: 
 |   GetRequest: 
 |_    220 HTB{pr0F7pDv3r510nb4nn3r}
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port31337-TCP:V=7.94SVN%I=7%D=7/20%Time=687D8A8A%P=x86_64-pc-linux-gnu%
 SF:r(GetRequest,1F,"220\x20HTB{pr0F7pDv3r510nb4nn3r}\r\n");
 Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 | smb-os-discovery: 
 |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
 |   Computer name: nix-nmap-default
 |   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
 |   Domain name: \x00
 |   FQDN: nix-nmap-default
 |_  System time: 2025-07-21T02:34:31+02:00
 | smb2-time: 
 |   date: 2025-07-21T00:34:31
 |_  start_date: N/A
 |_nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 |_clock-skew: mean: -40m05s, deviation: 1h09m17s, median: -6s
 | smb-security-mode: 
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 173.10 seconds

SERVICE ENUMERATION

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

root@htb:~$ sudo nmap -sT -sV -sC -T4 10.129.5.221 -p- -oA 10.129.5.221Result
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
 |   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
 |_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
 80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 110/tcp   open  pop3        Dovecot pop3d
 |_pop3-capabilities: SASL CAPA PIPELINING TOP AUTH-RESP-CODE RESP-CODES UIDL
 139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 143/tcp   open  imap        Dovecot imapd (Ubuntu)
 |_imap-capabilities: ID LOGIN-REFERRALS ENABLE LITERAL+ IMAP4rev1 more have SASL-IR Pre-login listed LOGINDISABLEDA0001 IDLE capabilities OK post-login
 445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
 31337/tcp open  Elite?
 | fingerprint-strings: 
 |   GetRequest: 
 |_    220 HTB{pr0F7pDv3r510nb4nn3r}
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port31337-TCP:V=7.94SVN%I=7%D=7/20%Time=687D8A8A%P=x86_64-pc-linux-gnu%
 SF:r(GetRequest,1F,"220\x20HTB{pr0F7pDv3r510nb4nn3r}\r\n");
 Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 | smb-os-discovery: 
 |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
 |   Computer name: nix-nmap-default
 |   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
 |   Domain name: \x00
 |   FQDN: nix-nmap-default
 |_  System time: 2025-07-21T02:34:31+02:00
 | smb2-time: 
 |   date: 2025-07-21T00:34:31
 |_  start_date: N/A
 |_nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 |_clock-skew: mean: -40m05s, deviation: 1h09m17s, median: -6s
 | smb-security-mode: 
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 173.10 seconds

NMAP SCRIPTING ENGINE

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

root@htb:~$ sudo nmap -sS -T4 10.129.2.49 -p-
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh
 80/tcp    open  http
 110/tcp   open  pop3
 139/tcp   open  netbios-ssn
 143/tcp   open  imap
 445/tcp   open  microsoft-ds
 31337/tcp open  Elite
 
root@htb:~$ sudo nmap -sV -sC -T4 10.129.2.49 -p 22,80,110,139,143,445,31337
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
 |   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
 |_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
 80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
 |_http-title: Apache2 Ubuntu Default Page: It works
 |_http-server-header: Apache/2.4.29 (Ubuntu)
 110/tcp   open  pop3        Dovecot pop3d
 |_pop3-capabilities: SASL AUTH-RESP-CODE RESP-CODES CAPA UIDL PIPELINING TOP
 139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 143/tcp   open  imap        Dovecot imapd (Ubuntu)
 |_imap-capabilities: have LITERAL+ more SASL-IR IDLE listed OK ID capabilities LOGINDISABLEDA0001 Pre-login post-login LOGIN-REFERRALS IMAP4rev1 ENABLE
 445/tcp   open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
 31337/tcp open  Elite?
 | fingerprint-strings: 
 |   GetRequest: 
 |_    220 HTB{pr0F7pDv3r510nb4nn3r}
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port31337-TCP:V=7.94SVN%I=7%D=7/27%Time=6886DB68%P=x86_64-pc-linux-gnu%
 SF:r(GetRequest,1F,"220\x20HTB{pr0F7pDv3r510nb4nn3r}\r\n");
 Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 | smb2-time: 
 |   date: 2025-07-28T02:10:03
 |_  start_date: N/A
 |_nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb-security-mode: 
 |   account_used: guest
 |   authentication_level: user
 |   challenge_response: supported
 |_  message_signing: disabled (dangerous, but default)
 |_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: 0s
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 | smb-os-discovery: 
 |   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
 |   Computer name: nix-nmap-default
 |   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
 |   Domain name: \x00
 |   FQDN: nix-nmap-default
 |_  System time: 2025-07-28T04:10:03+02:00

root@htb:~$ sudo nmap --script=vuln -T4 10.129.2.49 -p 22,80,110,139,143,445,31337
 PORT      STATE SERVICE     VERSION
 22/tcp    open  ssh
 80/tcp    open  http
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-enum: 
 |_  /robots.txt: Robots file
 110/tcp   open  pop3
 139/tcp   open  netbios-ssn
 143/tcp   open  imap
 445/tcp   open  microsoft-ds
 31337/tcp open  Elite

 Host script results:
 | smb-vuln-regsvc-dos: 
 |   VULNERABLE:
 |   Service regsvc in Microsoft Windows systems vulnerable to denial of service
 |     State: VULNERABLE
 |       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
 |       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
 |       while working on smb-enum-sessions.
 |_          
 |_smb-vuln-ms10-054: false
 |_smb-vuln-ms10-061: false

root@htb:~$ curl http://10.129.2.49/robots.txt
 User-agent: *

 Allow: /

 HTB{873nniuc71bu6usbs1i96as6dsv26}

PreviousGETTING STARTED NextFOOTPRINTING

Last updated 26 days ago