search

nmap lab - scripting engine - htb

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: 10.129.168.221

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

Answer: HTB{873nniuc71bu6usbs1i96as6dsv26}

$ sudo nmap -v -sC -p22,80,110,139,143,445,31337 10.129.168.221
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-24 08:02 CST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.129.168.221 [4 ports]
Completed Ping Scan at 08:02, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 1.11s elapsed
Initiating SYN Stealth Scan at 08:02
Scanning 10.129.168.221 [7 ports]
Discovered open port 143/tcp on 10.129.168.221
Discovered open port 445/tcp on 10.129.168.221
Discovered open port 139/tcp on 10.129.168.221
Discovered open port 31337/tcp on 10.129.168.221
Discovered open port 110/tcp on 10.129.168.221
Discovered open port 80/tcp on 10.129.168.221
Discovered open port 22/tcp on 10.129.168.221
Completed SYN Stealth Scan at 08:02, 0.11s elapsed (7 total ports)
NSE: Script scanning 10.129.168.221.
Initiating NSE at 08:02
Completed NSE at 08:03, 45.47s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.129.168.221
Host is up (0.055s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
| ssh-hostkey:
|   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
|   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp    open  http
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
110/tcp   open  pop3
|_pop3-capabilities: PIPELINING TOP UIDL AUTH-RESP-CODE SASL CAPA RESP-CODES
139/tcp   open  netbios-ssn
143/tcp   open  imap
|_imap-capabilities: Pre-login LOGIN-REFERRALS IMAP4rev1 OK listed LOGINDISABLEDA0001 SASL-IR have post-login more LITERAL+ ENABLE ID IDLE capabilities
445/tcp   open  microsoft-ds
31337/tcp open  Elite

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nix-nmap-default
|   NetBIOS computer name: NIX-NMAP-DEFAULT\x00
|   Domain name: \x00
|   FQDN: nix-nmap-default
|_  System time: 2023-11-25T23:51:19+01:00
|_clock-skew: mean: 1d08h28m42s, deviation: 34m38s, median: 1d08h48m41s
| nbstat: NetBIOS name: NIX-NMAP-DEFAUL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   NIX-NMAP-DEFAUL<00>  Flags: <unique><active>
|   NIX-NMAP-DEFAUL<03>  Flags: <unique><active>
|   NIX-NMAP-DEFAUL<20>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb2-time:
|   date: 2023-11-25T22:51:19
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 47.18 seconds
           Raw packets sent: 11 (460B) | Rcvd: 8 (336B)

So using the default scripting flag sC only got us so far, time to crank it up a notch

Lets try running a category instead of the default scripts.

I'll admit this was a bit trial and error but also a learning experience as it ultimately helped me understand more than one category of scripts that run. Prior to the scan below I ran --script discovery on each port to run a shorter enumeration process. After that catergory did not work I started running the vuln category and only after the second search on port 80 we can see that the answer to the question is viewable.

Well would you look at that...a robots.txt file. Shall we???

Previousnmap - Scripting EngineNextnmap - Setting the Performance

Last updated