You’ve learned some great nmap skills! Now can you combine that with other skills with netcat and protocols, to log in to this machine and find the flag? This VM MACHINE_IP is listening on a high port, and if you connect to it it may give you some information you can use to connect to a lower port commonly used for remote access!

Link to the room

First I looked for open ports:

┌──(kali㉿kali)-[~/Documents]
└─$ nmap -sT 10.10.250.39 -vv       

Those were:

PORT	STATE	SERVICE	REASON
22/tcp	open	ssh	syn-ack
2222/tcp	open	EtherNetIP-1	syn-ack
31337/tcp	open	Elite	syn-ack

Then, since I’ve recently learnt about nmap scripts I first decided to try:

┌──(kali㉿kali)-[~/Documents]
└─$nmap -p 22 10.10.250.39 --script ssh-brute

but wasn’t able to get the credentials this way.

So I followed the instructions and interacted with the 31337 TCP port with netcat:

netcat -n 10.10.250.39 31337

which resulted in:

In case I forget - userubuntu!!/str0ng

With these credentials I was able to login via ssh:

┌──(kali㉿kali)-[~/Documents]
└─$ ssh ubuntu@10.10.250.39

and navigate to the flag.txt file.