nmap - Evasion Lab - Hard - htb

Firewall and IDS/IPS Evasion - Hard Lab

With our second test's help, our client was able to gain new insights and sent one of its administrators to a training course for IDS/IPS systems. As our client told us, the training would last one week. Now the administrator has taken all the necessary precautions and wants us to test this again because specific services must be changed, and the communication for the provided software had to be modified.

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: 10.129.2.47

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

Answer: HTB{kjnsdf2n982n1827eh76238s98di1w6}

Ok so unlike the first one we do not know what service is running whether it be TCP or UDP protocols or even a port range on the target. So let us start by running a full port scan while still trying to stay stealthy and avoid detections.

(FYI go do something else while this runs, its going to take some time)

$ sudo nmap -p- -sS -T 2 10.129.2.47 | tee Documents/htb/labs/nmap/results/hard-lab-init
[sudo] password for cscogin:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 13:44 CST
...
...
...Some time later

That took a little too long so lets run a faster more aggressive scan to cut down on some time and see if it works. 

$ sudo nmap --source-port 53 -p- -sS 10.129.2.47 --disable-arp-ping --packet-trace | tee Documents/htb/labs/nmap/results/hard-lab-init
...
...
...
SENT (26.5597s) TCP 10.10.15.56:53 > 10.129.2.47:43 S ttl=53 id=54440 iplen=44  seq=1144289446 win=1024 <mss 1460>
SENT (26.5643s) TCP 10.10.15.56:53 > 10.129.2.47:58 S ttl=41 id=37887 iplen=44  seq=1144289446 win=1024 <mss 1460>
SENT (26.5735s) TCP 10.10.15.56:53 > 10.129.2.47:197 S ttl=37 id=25433 iplen=44  seq=1144289446 win=1024 <mss 1460>
SENT (26.5735s) TCP 10.10.15.56:53 > 10.129.2.47:944 S ttl=37 id=33701 iplen=44  seq=1144289446 win=1024 <mss 1460>
Nmap scan report for 10.129.2.47
Host is up (0.050s latency).
Not shown: 64562 closed tcp ports (reset), 970 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
50000/tcp open  ibm-db2

Nmap done: 1 IP address (1 host up) scanned in 26.77 seconds

Cool we see a new service not yet seen for IBM DB2 database that seems to be responding to DNS requests. Lets fire up the good ole nc (netcat command) to make a connection.

$ sudo nc -nvp 53 10.129.2.47 50000
(UNKNOWN) [10.129.2.47] 50000 (?) open
220 HTB{kjnsdf2n982n1827eh76238s98di1w6}

And viola the service returns data!

Finally we can submit and officially wrap up the htb academy nmap training module.

Previousnmap - Evasion Lab - Medium - htbNextCKAD Training

Last updated