AoC3#10: Offensive Is The Best Defence
The tenth day of this TryHackMe hosted Advent of Cyber see’s us tackling a network challenge – Offensive Is The Best Defence.
The last challenge, Day 9 – Where Is All This Data Going, saw us investigating some suspicious activity using Wireshark. The 10th day of this CTF see’s us delving into perhaps my favourite tool – network mapper (nmap).
Day 10 – Busting out nmap
We’re given the test nmap command to run, so not much to writeup to begin with. You don’t need to run this command as sudo, but I often do out of habit)
└─$ nmap -sT $IP
Starting Nmap 7.92 at 2021-12-18 04:06 EST
Nmap scan report for 10.10.189.216
Host is up (0.047s latency).
Not shown: 9XX closed tcp ports (conn-refused)
PORT STATE SERVICE
...
... {results}
...
Nmap done: 1 IP address (1 host up) scanned in 6.55 seconds
After doing a SYN scan (-sS), we’re then asked to perform a scan to identify versions of services running. This forms part of my default scan when I come to a target; simply use the -sV argument:
└─$ sudo nmap -sV $IP
Starting Nmap 7.92 at 2021-12-18 04:10 EST
Nmap scan report for 10.10.189.216
Host is up (0.025s latency).
Not shown: 9XX closed tcp ports (reset)
PORT STATE SERVICE VERSION
...
80/tcp open http Apache httpd X.X.XX
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds
Note that simply detecting the versions of these few services doubles the scan time compared to a SYN scan. This could be a noticeable amount of time if the port range was larger.
We’re then told of a vulnerability in the Apache HTTP server that is running. I scan the Kali built in vulnerability database using searchsploit.
Version Apache HTTP 2.4.51 fixed this vulnerability – looking at the revision notes (found online at the Apache v2.4 page), we can see the CVE it patched.
Using nmap to find suspicious ports
We’re then tasked with finding a suspicious port that is open. It asks us to scan the entire 2^16 range of ports (0-65535), however I used a bit of intuition to speed this up.
I scanned only ports in the final ‘chunk’ of port numbers, that designed for unreserved, uncontrolled allocations. This chunk is from port 49152 – 65535.
└─$ sudo nmap $IP -sS -T5 -p49152-65535 -vv
Starting Nmap 7.92 at 2021-12-18 05:02 EST
Initiating Ping Scan at 05:02
Scanning 10.10.189.216 [4 ports]
Completed Ping Scan at 05:02, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:02
Completed Parallel DNS resolution of 1 host. at 05:02, 0.04s elapsed
Initiating SYN Stealth Scan at 05:02
Scanning 10.10.189.216 [16384 ports]
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
...
Completed SYN Stealth Scan at 05:04, 124.78s elapsed (16384 total ports)
Nmap scan report for 10.10.189.216
Host is up, received echo-reply ttl 63 (0.025s latency).
Scanned at 2021-12-18 05:02:14 EST for 125s
All 16384 scanned ports on 10.10.189.216 are in ignored states.
Not shown: 16384 closed tcp ports (reset)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 125.02 seconds
Raw packets sent: 17915 (788.236KB) | Rcvd: 17097 (683.868KB)
Unfortunately my intuition here didn’t pay off. All 16,384 ports in that dynamic range of ports were ignoring requests. I therefore change the port range to scan from 49152-65535 back to 1000-49151:
└─$ sudo nmap $IP -Pn -n -sS -T5 -p1000-49152 -vv
Starting Nmap 7.92 at 2021-12-18 05:05 EST
Initiating SYN Stealth Scan at 05:05
Scanning 10.10.189.216 [48153 ports]
Increasing send delay for 10.10.189.216 from 0 to 5 due to 204 out of 509 dropped probes since last increase.
Warning: 10.10.189.216 giving up on port because retransmission cap hit (2).
SYN Stealth Scan Timing: About 25.06% done; ETC: 05:11 (0:04:41 remaining)
Discovered open port {port}/tcp on 10.10.189.216
...
Low-and-behold, we discover the open port.
We can then target that specific port and run a scan with some additional arguments, namely verbose (-vv) service version discovery:
└─$ sudo nmap $IP -Pn -n -sT -sV -p{port} -v
Starting Nmap 7.92 at 2021-12-18 05:12 EST
NSE: Loaded 45 scripts for scanning.
Initiating Connect Scan at 05:12
Scanning 10.10.189.216 [1 port]
Discovered open port {port}/tcp on 10.10.189.216
Completed Connect Scan at 05:12, 0.04s elapsed (1 total ports)
...
PORT STATE SERVICE VERSION
{port}/tcp open {service and version}
Discovering that open port and it’s service finished off Day 10 of the Advent of Cyber challenge. This was a relatively quick capture the flag challenge day, but enjoyable. Network mapper is such a powerful and versatile tool.