TryHackMe: Net Sec Challenge – Walkthrough

It is time to look at the Net Sec Challenge Room on TryHackMe, a beginner level challenge during which we can practice the skills you have learned in the Network Security module. This room was very fun, and a perfect way to end the excellent Network Security module, which I enjoyed very much.

Box URL: https://tryhackme.com/r/room/netsecchallenge

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Introduction

Use this challenge to test your mastery of the skills you have acquired in the Network Security module. All the questions in this challenge can be solved using only nmap, telnet, and hydra.

Questions

Launch the AttackBox and the target VM.

Answer: No answer needed

Task 2: Challenge Questions

You can answer the following questions using Nmap, Telnet, and Hydra.

What is the highest port number being open less than 10,000?

Let’s get going. Start up your AttackBox or if you prefer connect to the target machine by using OpenVPN, using the following command:

sudo openvpn <file_name>.ovpn

To find the open ports with numbers less than 10.000 we can use a regular nmap command without any flags:

nmap <target ip>

This gives the following results:

As the screenshot shows, the highest port number underneath 10.000 is 8080. In this case it is a http server, but this is not so important for now.

Answer: 8080

There is an open port outside the common 1000 ports; it is above 10,000. What is it?

A regular nmap scan only checks for the top 1000 most common ports. To scan all ports we can use the -p- flag, or you can enter the following to only scan ports above 10.000:

nmap <target ip> -p10001-65535

In this case, I would recommend adding the -v flag to get a message when a port is found during the scan, and perhaps -T4 to make the scan more agressive:

nmap <target ip> -p10001-65535 -v -T4

It might take some time, but here is the result:

The port number is 10021.

Answer: 10021

How many TCP ports are open?

This one is quick to answer. We found 5 ports under 10.000 and one above, so this gives 6 🙂

Answer: 6

What is the flag hidden in the HTTP server header?

Let’s move on. It is time to look at some server headers.

There are a at least three different ways of doing this:

If you prefer to use nmap you can use the following command:

nmap 10.10.103.213 -sV -sC -p 80

The flag is right there, underneath version.

A perhaps simpler way to find the flag is by visiting the homepage on port 80, and look at the Network tab:

Finally, we can use telnet to connect to port 80:

telnet 10.10.103.213 80

Followed by entering a HTTP get request:

GET /HTTP/1.1

And a made up host:

Host: tryhackme.com

This gives us the flag as well:

So, the answer is:

Answer: THM{web_server_25352}

What is the flag hidden in the SSH server header?

This question is quite similar. In this case we could either scan port 22 including defaults scripts:

nmap <target ip> -sV -sC -p 22

Or use telnet to connect to port 22:

telnet <target ip> 22

And again:

Answer: THM{946219583339}

We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

The original 5 ports underneath 10.000 were not running FTP, but we don’t know enough about port 10021, so let’s run a more advanced scan on that port:

nmap <target ip> -sV -sC -p 10021

This shows us that indeed this port is running ftp. And we got the answer as well!

Answer: vsftpd 3.0.5

We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

We used nmap and telnet a couple of times, but now it is time to load up hydra!

It is import to provide the username with a lower -u flag, and the password list with a capital -P flag. Finally, we enter the port number with the -s flag since the ftp service is not running on its default port (21). Remember the URI (ftp://) before your ip.

hydra -l eddie -P /usr/share/wordlists/rockyou.txt -s 10021 ftp://<ip>

Now it is time to login to the FTP server by running:

ftp <target ip> 10021

Enter the username and password when prompted. Unfortunately, we find no flags when listing files (by running ls):

Since eddie is not the right user, we have to run everything again, but this time for quinn:

hydra -l quinn -P /usr/share/wordlists/rockyou.txt -s 10021 ftp://<ip>

We got the password. Now use it to login to the FTP server:

ftp <target ip> 10021

Enter the username and password, and run ls again.

Sure enough, there is the flag. Now all that is left is to download it with the get command, and read it:

get ftp_flag.txt

Exit the ftp server, and run cat on the file:

We got the flag!

Answer: THM{321452667098}

Browsing to http://<ip>:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

Time for a final challenge. Visit the homepage on port 8080:

We need to scan the machine in a covertly way.

To be honest, this one is a lot of trial and error. First I tried fragmenting the packets by using the -f flag but that did not work.

Then I tried running all of the different scans we learned about. The one that worked for me was the Null Scan, which is run by the following command:

nmap -sN 10.10.103.213

We get the result:

To be fair, the module does not really explain why this type of scan is more covert.

I did some research, and it is considered more covert because:

• No SYN, ACK, or other flags: A typical TCP connection initiation (like the three-way handshake) involves sending SYN and ACK flags, which are often logged and detected. The Null Scan doesn’t send any of these flags, instead sending a packet with no flags at all, making it appear as if it’s not trying to establish a connection in the usual way.
• Unusual Behavior: Many firewalls and intrusion detection systems focus on watching for specific flag patterns. Since a Null Scan is unusual, it’s less likely to be flagged as a typical connection attempt.

I hope that improves the learning experience somewhat.

Answer: THM{f7443f99}

Task 3: Summary

In this module, we have learned about passive reconnaissance, active reconnaissance, Nmap, protocols and services, and attacking logins with Hydra.

Questions

Time to continue your journey with a new module.

Answer: No answer needed

Great job!

Congratulations, we made it to the end! I hope you enjoyed this walkthrough of the Net Sec Challenge room on TryHackMe!
This was a very nice ending to the Network Security Module! I hope it helped to cement some of the knowledge gained during the module. See you next time!

Like my articles?

You are welcome to comment on this article, and please share with friends!
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Happy Hacking!