DEV Community: madhiashabih

Network Enumeration with Nmap Walkthrough (Hack The Box)

madhiashabih — Fri, 05 Sep 2025 10:52:21 +0000

Walkthrough

Host Discovery

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

$ sudo nmap <redacted-ip> -sn -oA host -PE --packet-trace --disable-arp-ping

Initially, I was confused about how to determine the operating system from the result. After some research, I learned that the time-to-live (TTL) value in an ICMP reply can give a strong indication.

Windows systems typically use an initial TTL of 128.
Linux/Unix systems typically use 64.
Some network devices use 255.

This clue helps narrow down the OS.

Host and Port Scanning

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

sudo nmap -p- <redacted-ip>

The number of open TCP ports is the answer.

Enumerate the hostname of your target and submit it as the answer (case-sensitive).

At first, I wasn’t sure how to find the hostname. It turns out that running the -sC scan, which uses Nmap’s default scripts, reveals this information.

The -sC option runs a curated list of scripts that the Nmap authors consider useful, safe, and quick.

sudo nmap -sC <redacted-ip>

The hostname can be found in the smb-os-discovery result.

Saving the Results

Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.

sudo nmap <redacted-ip> -oX target.xml

To convert the XML into HTML:

xsltproc style.xsl target.xml > output.html

To render it directly in the terminal (Linux):

lynx output.html

Service Enumeration

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

sudo nmap -sV -p22,80,110,139,143,445,31337 <redacted-ip>

Nmap Scripting Engine

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

I followed the methods outlined in the module as a guide.

First attempt:

sudo nmap <redacted-ip> -p 80 -A

No useful result.

Second attempt:

sudo nmap <redacted-ip> -p 80 -sV --script vuln

This time, I saw an interesting reference to a robots.txt file.

curl http://<redacted-ip>/robots.txt

And there it was — the flag.

Firewall and IDS/IPS Evasion - Easy Lab

Our client wants to know if we can identify which operating system their machine is running. Submit the OS name as the answer.

We want to discover the OS quietly.

sudo nmap -O --disable-arp-ping -Pn <redacted-ip>

Since this is run as root, it defaults to an -sS (stealth) scan. No results were returned.

This strongly suggests a firewall is blocking our attempts. Since this was a quiet scan, there were 0 alerts triggered.

Next, I tried the method from the earlier exercise:

sudo nmap -sn -PE --packet-trace --disable-arp-ping <redacted-ip>

Again, I looked at the TTL values:

Windows = 128
Linux/Unix = 64
Network devices = 255

This revealed the OS is Linux.

Now, to learn the Linux distribution, I scanned for service versions:

sudo nmap -sV -p22,80,110,139,143,445,10001 --disable-arp-ping -Pn <redacted-ip>

Voila!

Firewall and IDS/IPS Evasion - Medium Lab

After transferring configurations, the client wants to know if it’s possible to find out the target’s DNS server version. Submit the DNS server version as the answer.

DNS typically runs on port 53.

sudo nmap -sV -p53 --disable-arp-ping -Pn <redacted-ip>

The port appeared closed. A closed port means our SYN packet received a RST + ACK response.

I then noticed the note:

To successfully solve the exercise, we must use the UDP protocol on the VPN.

So I retried with UDP:

sudo nmap -sUV -p53 --disable-arp-ping -n -Pn <redacted-ip>

Firewall and IDS/IPS Evasion - Hard Lab

The client now wants to know if it’s possible to identify the version of a specific running service. Submit the flag as the answer.

Hint: The client mentioned they had to add a service critical for handling large amounts of data.

First, I scanned to see what new services were present:

sudo nmap -sV -Pn --disable-arp-ping <redacted-ip>

I noticed Port 50000.

Next, I tried connecting with netcat:

ncat -nv --source-port 53 <redacted-ip> 50000

This failed locally on my ParrotOS terminal, so I switched to the Pwnbox. I initially hit a “permission denied” error, but running it with sudo worked:

sudo ncat -nv --source-port 53 <redacted-ip> 50000

Getting Started - Web Enumeration Walkthrough (Hack The Box) [Hindi]

madhiashabih — Wed, 30 Jul 2025 10:37:55 +0000

🛠 Getting Started - Web Enumeration Walkthrough (Hack The Box) [Hindi]:

💡 Question: Run some of the web enumeration techniques you learned in this section on the target server above. Use the information you find to get the flag!

मैं तेज़ और साफ़ चेक से शुरू करती हूँ। सबसे पहले, मैं यह कमांड चलाती हूँ:

whatweb <target IP>

जिससे वेब सर्वर की पहचान हो सके, फिर मैं विजिट करती हूँ:

http://<target IP>

पेज सामान्य सा लगता है, इसलिए मैं सोर्स देखती हूँ (CTRL+U)—फिर भी कोई उपयोगी जानकारी नहीं मिली।

फिर, मैं यह ट्राई करती हूँ:

curl <target IP>/robots.txt

और मुझे एक disallowed path मिलता है:

/admin-login-page.php

मैं वहां नेविगेट करती हूँ:

/admin-login-page.php

फिर से सोर्स कोड चेक करती हूँ—इस बार मुझे HTML कमेंट में क्रेडेंशियल्स मिलते हैं:

<!-- TODO: remove test credentials admin:password123 -->

उन क्रेडेंशियल्स का उपयोग कर, मैं लॉगिन करती हूँ और फ़्लैग हासिल करती हूँ।

Getting Started - Web Enumeration Walkthrough (Hack The Box) [Urdu]

madhiashabih — Wed, 30 Jul 2025 10:26:04 +0000

🛠 Getting Started - Web Enumeration Walkthrough (Hack The Box) [Urdu]

💡 Question: Run some of the web enumeration techniques you learned in this section on the target server above. Use the information you find to get the flag!

-میں واضح چیکس سے شروع کرتی ہوں۔ سب سے پہلے، میں یہ کمانڈ چلاتی ہوں

whatweb <target IP>

-تاکہ ویب سرور کی شناخت ہو سکے، پھر وزٹ کرتی ہوں

http://<target IP>

صفحہ کچھ خاص نہیں لگتا، اس لیے میں اس کا سورس کوڈ دیکھتی ہوں—پھر بھی کوئی فائدہ مند چیز نہیں ملتی

-اس کے بعد، میں یہ کوشش کرتی ہوں

curl <target IP>/robots.txt

-اور مجھے ایک ممنوعہ راستہ ملتا ہے

/admin-login-page.php

-میں وہاں جاتی ہوں

/admin-login-page.php

-پھر سے سورس کوڈ چیک کرتی ہوں—اس بار مجھے تفصیلات ملتی ہیں

<!-- TODO: remove test credentials admin:password123 -->

ان شناختی معلومات کا استعمال کر کے، میں لاگ ان کرتی ہوں اور جھنڈا حاصل کرتی ہوں۔

Getting Started - Web Enumeration Walkthrough (Hack The Box)

madhiashabih — Wed, 30 Jul 2025 09:45:07 +0000

🛠 Getting Started - Web Enumeration Walkthrough (Hack The Box):

> 💡 Question: Run some of the web enumeration techniques you learned in this section on the target server above. Use the information you find to get the flag!

I begin with quick, obvious checks. First, I run:

  whatweb <target IP>

to fingerprint the web server, then visit:

  http://<target IP>

The page seems uninteresting, so I view the source (CTRL+U)—still nothing useful.
Next, I try:

  curl <target IP>/robots.txt

and find a disallowed path:

  /admin-login-page.php

I navigate to:

  /admin-login-page.php

and check the source code again—this time I find credentials in an HTML comment:

  <!-- TODO: remove test credentials admin:password123 -->

Using those creds, I log in and grab the flag.

Mind Your Data

madhiashabih — Tue, 24 Jun 2025 11:16:31 +0000

They say data is the new oil — and as monetary transactions become increasingly virtual, I completed the IBM SkillsBuild Cybersecurity Fundamentals Certificate to share the key lessons I learned about staying private and safe.

The 100th time I clicked "Ignore" on that software update.

Does that software update on your phone keep annoying you? Software updates often include patches for security vulnerabilities — so it’s wise to regularly update your devices and applications.

You can even schedule updates while you’re asleep — just remember to stay connected to the internet.

Breach here, breach everywhere!

We all know to use long, complex passwords. But do we remember to use a different password for our bank account than we do for other sites?

If another account is breached, your finances will be better protected.

Virtually Permanent

Remember: everything you post online is virtually permanent.

Even small pieces of information can add credibility to a social engineering attack.

If something is too good to be true, it probably is.

You receive an email from a "representative of a lottery" congratulating you on winning a grand prize.

Or maybe a message from a bank asking you to update your password.

These are common examples of social engineering — where someone tries to trick you into giving up private information.

Don’t be afraid to challenge suspicious requests.

And remember: if something is too good to be true, it probably is.

Something phishy about this email? Here's how to spot it:

Were you expecting this email?
Is it from someone or a company you recognize?
Does it use a generic greeting instead of your name?
Does it contain poor grammar or spelling errors?
Does it create a false sense of urgency?
Is it asking for your password or bank details?

Tip:

Don’t click on links without verifying the URL.

Look for https:// and check for misspellings or unusual characters in the web address.

Principle of Least Privilege

This concept is often used in organizations to prevent cyberattacks, but it’s a useful mindset for everyone.

It simply means: give apps or users only the permissions they need.

For example:

I only enable location access when I actually need the app to use it.

Cybersecurity isn’t just for tech professionals — it’s for all of us.

Hopefully, these tips help you stay a little safer online.