Walkthrough of an inital enumeration of a Windows machine.

Challenge Questions

We can answer most of the questions after a bit more sophisticated Nmap scan but I’ll present other routes as well.

What is the highest port number being open less than 10,000?

There is an open port outside the common 1000 ports; it is above 10,000. What is it?

How many TCP ports are open?

What is the flag hidden in the HTTP server header?

What is the version of the FTP server listening on a non-standard port?

Optionally we could get the HTTP server header using the Telnet tool.

We could get it with the use of Curl as well as a last resort.

The next question shall be answered using the Hydra password cracker specifying the special FTP port in use.

We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

The final question to be completed by browsing to the machine in the browser and initiating an Nmap TCP Null scan. This is the least obtrusive type of Nmap scan with no TCP flags included in the packet. The target will be puzzled with it so will not reply and it is the clear indication of being the port open. If the target responds with a reset (RST) packet that means the port is closed on the device.

What is the flag?

Thanks for reading and as always, any feedback is most welcome.