Intermediate NMAP Walkthrough — TryHackMe
This is a detailed walkthrough for the room Intermediate NMAP on TryHackMe. This was a very simple room that just requires a fairly good knowledge of the nmap tool to get through. This will not be a long write-up, purely because there aren’t too many steps to this room. Despite that, I found it quite fun and a nice quick way to refresh your nmap skills. It is also a great room for proving just how effective thorough enumeration can be in exploiting a machine — the more time you spend enumerating, and the more thorough you are with your search, the easier the rest of the process can be. I completed this room using my laptop running Ubuntu, with the required tools downloaded, and was connected to THM using OpenVPN.
So let’s get started!
Once my machine was up and running, I began with a Threader3000 scan to quickly see all the open ports. The reason I did this is because Threader3000 is a multi threaded port scanner, and will find all open ports much faster than an initial nmap all ports scan (especially when connected to THM using OpenVPN rather than the AttackBox on their own network). See the screenshot below for the output.
You can find Threader3000 here: https://github.com/dievus/threader3000 (shout out to dievus for creating such a great tool for speedy port scanning). As you can see in the screenshot above, Threader3000 found 3 ports open, and gave me a couple of follow up options. I ran the suggested nmap scan (as this is an nmap room), which was nmap -p22,2222,31337 -sV -sC -T4 -Pn -oA 10.10.240.210 10.10.240.210
Because this is an nmap room, I’m going to go through the options on this scan in detail, just in case anyone went straight to nmap right from the start.
nmap: An obvious one, but this is the command to use the nmap port scanner in the terminal.
-p22,2222,31337: -p is used to select specific ports to be scanned by nmap. As threader3000 previousy found the ports 22, 2222, and 31337 open, we only need to use nmap on those specific ports. If you had started with nmap and wanted to do an all port scan, you would use the option “-p-”.
-sV: This is the Service/Version detection scan type. This scan type will try to connect to each port and determine what service and version is running based on the response received by the scan. It is not always 100% accurate, but it can provide some nice extra info to help with exploitation.
-sC: This is the Script scan. With no specific arguments provided, this scan type will run all the default scripts against each open port. It is a very handy option to figure out more info to help with exploitation, however it is noisy and will take a long time if there are a lot of ports to scan.
-T4: This is the timing for the scan, and the options are 0–5. T4 is a very fast scan. This can result in errors, and is very loud, but will speed up the scanning process considerably.
-Pn: this is an option to remove host discovery (done using ping). If a machine has a firewall, it will block the ping scan from nmap and will result in an error. If you are absolutely sure there are open ports on the machine you are scanning, you can use this option to treat all hosts as online and skip host discovery.
-oA 10.10.240.210: This is the option to output results of the scan in all formats, to a folder called 10.10.240.210 (the target IP). You can name the folder whatever you want, but it will also name the outputted file types with variations of that name as well.
10.10.240.210: This is the target IP to be scanned by nmap.
All of the options described above can be read about in more detail using nmap -h or at https://nmap.org/book/man.html
After running the scan, we were shown the results in the screenshot below.
As you can see above, the nmap scan has returned a few interesting results. Ports 22 and 2222 are both ssh ports, and the version is described in the VERSION column on the right. More interestingly, our open port on 31337 is running a service that nmap is guessing called “Elite?”, and has some really interesting information attached to it: conveniently a line that says “In case I forget — user:pass” and then another line below it with a username and password. I have omitted the actual username and password for you to discover by yourself. As the only other ports are ssh ports, my next step was to try these credentials to gain access to the machine, as shown in the screenshot below.
Success! We have access to the machine. All that is left is for us to do some enumeration of the machine itself, to see if we can find the flag.
Although there was nothing of interest in the Ubuntu home directory, a quick directory change showed a user directory, and having a look in there showed me a flag.txt file. We had permissions here, so it was as simple as opening the flag file and we were done!
As I said at the start, this was a quick and simple CTF, however it does require a solid knowledge of nmap so you know how to get the right information during the enumeration phase. Using Threader3000 simplifies this, however I would make sure you understand exactly what the nmap command is doing so you understand what is happening behind the scenes no matter what tools you are using.
I hope you enjoyed this room, and I hope I could help if you needed it. Until next time.
Cheers!