DEV Community

Cover image for Advent of Cyber 2025: Day 7 Writeup Network Discovery - Scan-ta Clause | TryHackMe
Mahin Ahmad
Mahin Ahmad

Posted on

Advent of Cyber 2025: Day 7 Writeup Network Discovery - Scan-ta Clause | TryHackMe

#tryhackme #networking

Hellow! Lets get to it fast! πŸ‘‰ Room Link

You have to start the target machine. And if you dont have the openvpn in your own machine, start the attackbox too.

Today's learning objectives:

Learn the basics of network service discovery with Nmap
Learn core network protocols and concepts along the way
Apply your knowledge to find a way back into the server.

The plot is that our server access has been compromised and we now have to perform counter-attacks! We know the ip address, let's start scanning first.

In order to get into a house, we need to know where the door(or window) is. *Nmap lets us discover which ports(windows) are open and closed.
*

If you dont have nmap in your own (debian-based?) machine then sudo apt install nmap

nmap 10.48.157.85 searches most 1000 'popular' ports.

nmap -p- --script=banner 10.49.191.120 scans all 65535 ports possible!
Whats 'banner' here? Its a name of a script (usually Lua langauge). We can 'script scan' the network. Nmap already comes with some scripts such as 'banner' here. You can see the banner script outputs after every open port found:

Nmap script args output

Now we know that ftp is running in a 'non default' port of 21212

ftp ipadress 21212 then type login username 'anonymous'. This brings us into that machine and a shell. explore the file that contains a tryhackme flag.

Unlike the THM instructions, ls in my case is not running. But it works in THM Attackbox :/

THM Attackbox

get tbfc_qa_key1 - 'downloads' the file and forwards it to standard output so that we can see the contents in in the terminal.

Copy the key1 fragment, go to browser and type the target machine ip > Click unlock > paste the key1

Get the 2nd key from netcat(nc) command: nc -v ipaddress 25251
The 3rd key requires nmap scanning on the UDP ports, not the default TCP we scanned so far: nmap -sU ipaddress

nmap UDP scanning
UDP 53 port, which is a DNS port, is open. Use dig command to perform DNS queries: dig @ipaddress TXT key3.tbfc.local +short

After getting all 3 key fragments(easter_isthe_newxmas), we obtain access to the admin console.

admin console

Previously, we scanned for open ports with nmap, now we can just 'ask the os' to list open ports with ss command(socket statistics): ss -tulnp
mysql 3306 port is open. By default localhost access do not require authorization. THM page tells use which database to look for: mysql -D tbfcqa01 -e "select * from flags;"

To answer this question, "What evil message do you see on top of the website?", look at the top of the Target Machine webpage....

Top comments (0)