It is not necessary to scan all ports, but it is useful in some cases.
Below is the nmap command to scan all Ports in a manner.
nmap -sC -sV -p- 10.10.85.107
nmap -sC -sV -p- 10.10.85.107Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 17:33 IST
Nmap scan report for 10.10.85.107 (10.10.85.107)
Host is up (0.19s latency).
Not shown: 65529 closed tcp ports (conn-refused)
_____________________________________________________________________________
PORT STATE SERVICE VERSION
_____________________________________________________________________________
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 3072 da5f69e2111f7c6680896154e87b16f3 (RSA)
| 256 3f8c0946ab1cdfd73583cf6d6e177e1c (ECDSA)
|_ 256 eda93aaa4c6b16e60d437546fb33b229 (ED25519)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-OpenSSH_8.2p1 THM{946219583339}
_____________________________________________________________________________
80/tcp open http lighttpd
|_http-server-header: lighttpd THM{web_server_25352}
|_http-title: Hello, world!
_____________________________________________________________________________
139/tcp open netbios-ssn Samba smbd 4.6.2
_____________________________________________________________________________
445/tcp open netbios-ssn Samba smbd 4.6.2
_____________________________________________________________________________
8080/tcp open http Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
_____________________________________________________________________________
10021/tcp open ftp vsftpd 3.0.3
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.93%I=7%D=5/4%Time=6453A483%P=x86_64-pc-linux-gnu%r(NULL,
SF:29,"SSH-2\.0-OpenSSH_8\.2p1\x20THM{946219583339}\r\n");
Service Info: OS: Unix
_____________________________________________________________________________
Host script results:
| smb2-time:
| date: 2023-05-04T12:26:50
|_ start_date: N/A
|_nbstat: NetBIOS name: NETSEC-CHALLENG, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1404.23 seconds
1. What is the highest port number being open less than 10,000?
Ans: 8080
2. There is an open port outside the common 1000 ports; it is above 10,000. What is it?
For this, we have to perform an nmap scan to scan ports above 10000
Ans: 10021
3. How many TCP ports are open?
Ans: 6
4. What is the flag hidden in the HTTP server header?
Ans: THM{web_server_25352}
5. What is the flag hidden in the SSH server header?
Ans: THM{946219583339}
6. We have an FTP server listening on a nonstandard port. What is the version of the FTP server?
Ans: vsftpd 3.0.3
7. We learned two usernames using social engineering: eddie
and quinn
. What is the flag hidden in one of these two account files and accessible via FTP?
We have to Bruteforce the password of these 2 Usernames using Hydra
Username: Eddie
Password: jordan
Username: quinn
Password: andrea
Let’s Login with the Credentials using Telnet
1. ftp <MACHINE-IP> <PORT-NUMBER>
2. eddie
3. jordan
4. ls
We found a file which has the flag, so let’s open the file using the command fget ftp_flag.txt
Ans: Answer is below the filezilla method