Use your baseline scanning skills to enumerate a secure network.
I'm gonna explain you how i did to complete this room, step by step, it's very easy.
Note that you have different ways to solve this room
Tools you need for this room :
- Nmap
- Gobuster
- Nikto
- Wpscan
So let's go !
- What is the version of the Apache server ?
So for this answer you need to use : Nmap
nmap -A -p- yourmachineIP -T5
Answer : 2.4.41
- What is the port number of the FTP service?
Again for this question we will refer to our previous nmap scan
Answer : 1338
- What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?
Still with the Nmap scan we have the answer for this question
Answer : dev.probe.thm
- What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?
So for this question, we need to connect to the port 1443, but read carefully the nmap scan, it's written there is a ssl certificate, so in your nav bar do not forget to type HTTPS
https://yourmachineIP:1443
You will see this page :
Answer : [email protected]
- What is the value of the PHP Extension Build on the server?
You have the answer in the previous screenshot
Answer : API20190902,NTS
- What is the banner for the FTP service?
So for this question, we can use Nmap again, remember the ftp server is running on the port 1338 (look the scan in question 1&2)
I'm gonna use the script engine of nmap
nmap --script=banner -p1338 yourmachineIP
Answer : THM{WELCOME_101113}
- What software is used for managing the database on the server?
So far, we only used nmap, now we will use another tool : Gobuster
gobuster dir -u http://yourmachineIP:8000 -w /usr/share/wordlists/dirb/big.txt
We can see a phpmyadmin page, and if we enter this url in the browser we get this page :
Answer : phpmyadmin
- What is the Content Management System (CMS) hosted on the server?
We can use Nmap for this question
nmap -A -p 9007 yourmachineIP
Answer : Wordpress
- What is the version number of the CMS hosted on the server?
You have the answer in the previous screenshot
Answer : 6.2.2
- What is the username for the admin panel of the CMS?
Now we will use another tool called : WPSCAN
wpscan --url https://yourmachineIP:9007 --disable-tls-checks -e u
Answer : Joomla
- During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?
Now we will use NIKTO
nikto -h yourmachineIP:9007 -ssl
Answer : license.txt
- What is the name of the software being used on the standard HTTP port?
You have the answer in the first scan with nmap
Answer : Lighttpd
- What is the flag value associated with the web page hosted on port 8000?
When we connect to the port 8000, we get an empty page
So may be we have to use gobuster again to find a hidden directory.
gobuster dir -u http://yourmachineIP:8000 -w /usr/share/wordlists/dirb/big.txt
let's look the result, we have some hidden directories, some have the 403 status, it means not available, and some have the 301 status. Let's connect to the page Contactus
Answer : THM{CONTACT_US_1100}
And that's it, we have finished this room, CONGRATULATIONS 😎 🥳
It was an easy room, hope you learned something new and enjoyed it, please give me star on my Github.