TryHackMe(THM): Nmap-Writeup

This logo looks like a secret society logo.

Hi Guys! Today I’m going to write a Writeup for Try Hack Me.
I’m on the Learning Paths of a COMPLETE BEGINNER.
The targeted room is Nmap.

Task1 Introduction to Port Scanning

1 What networking constructs are used to direct traffic to the right application on a server?

ports

I wasted my time because I didn’t understand the meaning of this riddle.:p

2 How many of these are available on any network-enabled computer?

65535

3 [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)

1024

Task2 Deploy!

1 Deploy the machine!

no answer

Task3 Nmap Quiz

1 First, how do you access the help menu?

-h

The answer was as shown.

2 Often referred to as a stealth scan, what is the first switch listed for a ‘Syn Scan’?

-sS

This option makes it difficult for the target machine to keep logs.

3 Not quite as useful but how about a ‘UDP Scan’?

-sU

Use this option to send UDP packets to the targeted port.
If it is open, nothing is returned.
If closed, ICMP port unreachable will be returned.
UDP does not guarantee access to the target machine, and there is a possibility that ICMP packets may be lost on the way.

4 What about operating system detection?

-O

Note that it is in uppercase.

5 How about service version detection?

-sV

6 Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag?

-v

This option makes it easy to see the progress of the scan.

7 What about ‘very verbose’? (A personal favorite)

-vV

This was not available in my environment.why?

8 Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format?

-oX

9 Aggressive scans can be nice when other scans just aren’t getting the output that you want and you really don’t care how ‘loud’ you are, what is the switch for enabling this?

-A

10 How do I set the timing to the max level, sometimes called ‘Insane’?

-T5

11 What about if I want to scan a specific port?

-p

12 How about if I want to scan every port?

-p-

13 What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run.

-- script

I didn’t know.

14 What if I want to run all scripts out of the vulnerability category?

-- script vuln

15 What switch should I include if I don’t want to ping the host?

-Pn

Task4 Nmap Scanning

1 Let’s go ahead and start with the basics and perform a syn scan on the box provided. What will this command be without the host IP address?

nmap -sS

2 After scanning this, how many ports do we find open under 1000?

Execute a command

hoge@kali:~$ sudo nmap -sS $IP
[sudo] password for hoge:
Starting Nmap 7.91 ( https://nmap.org ) at 2020–11–01 13:46 JST
Nmap scan report for 10.10.130.120
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds

answer is

2

3 What communication protocol is given for these ports following the port number?

TCP

4 Perform a service version detection scan, what is the version of the software running on port 22?

Execute a command

hoge@kali:~$ nmap -p 22 -sV $IP
Starting Nmap 7.91 ( https://nmap.org ) at 2020–11–01 13:49 JST
Nmap scan report for 10.10.130.120
Host is up (0.40s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds

answer is

6.6.1p1

5 Perform an aggressive scan, what flag isn’t set under the results for port 80?

Execute a command

hoge@kali:~$ nmap -A $IP
Starting Nmap 7.91 ( https://nmap.org ) at 2020–11–01 13:52 JST
Nmap scan report for 10.10.130.120
Host is up (0.40s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 78:70:b8:4d:0d:26:e4:16:2e:f7:cd:f0:a1:81:ef:8f (DSA)
| 2048 45:0d:0b:f1:44:77:58:f8:ff:7d:b5:7f:d2:a2:33:bc (RSA)
| 256 85:e9:ec:67:7f:0a:94:f9:f2:d7:c0:18:1d:7e:e9:6d (ECDSA)
|_ 256 20:b3:f1:82:8d:35:de:33:c1:0c:08:35:b5:fc:c9:2b (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-title: Login :: Damn Vulnerable Web Application (DVWA) v1.10 *Develop…
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.63 seconds

answer is

httponly

6 Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it’s good to still run this scan and get used to using it as it can be invaluable.

hoge@kali:~$ nmap - script vuln -sV 10.4.16.12
Starting Nmap 7.91 ( https://nmap.org ) at 2020–11–02 17:40 JST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011–1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.4.16.12
Host is up (0.00025s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3p1 Debian 1 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.3p1:
| CVE-2020–15778 6.8 https://vulners.com/cve/CVE-2020-15778
|_ CVE-2020–14145 4.3 https://vulners.com/cve/CVE-2020-14145
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
3000/tcp open http Node.js Express framework
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.4.16.12
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.4.16.12:3000/features
| Form id: output
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /status/: Potentially interesting folder
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007–6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009–09–17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007–6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9080/tcp open http nginx
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017–1001000: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.23 seconds

I’ve tried it several times, but the results of the script may be different. I don’t know the cause.

answer is

http-slowloris-check

Thank you for reading!

I’m a Japanese high school student.I’m interested in hacking. I will be a super hacker like “Spooky”, who I respect the most. I have to study hacking for that.