Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-05 05:20 UTC
Nmap scan report for target (172.15.18.117)
Host is up (0.00075s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
### welcome page (we solved)
80/tcp open http nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Metasploit CTF
## proxy. found a flag on a webserver that was only available through localhost (solved)
1080/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
### basic format string read flag out of memory (solved)
1337/tcp open waste?
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| Welcome to the '9 of Clubs' service.
| -------------------------------
| Please choose an option:
| Send contact info
| Greetings
| Send feedback
| Exit
| Unknown option.
| Welcome to the '9 of Clubs' service.
| -------------------------------
| Please choose an option:
| Send contact info
| Greetings
| Send feedback
| Exit
| NULL:
| Welcome to the '9 of Clubs' service.
| -------------------------------
| Please choose an option:
| Send contact info
| Greetings
| Send feedback
|_ Exit
### Buffalo RE (we solved)
4545/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5)
|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
|_http-title: Directory listing for /
### simple dodge falling rocks game needs a bot (solved)
5555/tcp open telnet
| fingerprint-strings:
| NULL:
| [HSCORE: 0
| [HSCORE: 1
| [HSCORE: 2
| [HSCORE: 3
|_ [HSCORE: 4
### Photos5u flag was just in one of the "other user"'s files which are publically open (solved)
6868/tcp open http WSGIServer 0.2 (Python 3.8.5)
|_http-server-header: WSGIServer/0.2 CPython/3.8.5
|_http-title: Photos5u
### comes up and lets you retrieve the flag once you beat 5555 game (solved)
7878/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5)
|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
|_http-title: Directory listing for /
### Guest -- guess other username (we solved)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
### vuln == in php (solved)
8092/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
### Make metasploit module
8101/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 5 of Clubs Frontend
### we have the password hash, salt, and width/alphabet of the rest. hashcat saves the day: ihatesaltalot7 (solved)
8123/tcp open http WSGIServer 0.2 (Python 3.8.5)
|_http-server-header: WSGIServer/0.2 CPython/3.8.5
|_http-title: Salt Free Hashes
### Image upload (we solved)
8200/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home
### redirects to vhost. says to use other subdomains, but what are they?
8201/tcp open http nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201
### obfuscated graphql queries. "all posts" query not authenticated and leaks url to flag (solved)
8202/tcp open http nginx 1.19.5
|_http-server-header: nginx/1.19.5
|_http-title: Site doesn't have a title (text/html).
### Metasploit modules looks like something to do with the session cookie
8888/tcp open http Werkzeug httpd 1.0.1 (Python 3.8.5)
|_http-title: Home
### Game library (we solved)
9000/tcp open http WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25))
|_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
### Game reviews (we solved)
9001/tcp open http Thin httpd
|_http-server-header: thin
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
### Broken zip file (we solved)
9007/tcp open http Apache httpd 2.4.46 ((Unix))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Unix)
|_http-title: Index of /
### QOH(9010) server. if sent a GET from a browser, it returns 4 bytes (ACED0005) (solved)
9008/tcp open java-object Java Object Serialization
### admin/password /etc/ace_of_clubs.png owned by root setuid /opt/vpn_connect (solved)
9009/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA)
| 256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA)
|_ 256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519)
### Jar file - wireshare protocol vuln (solved)
9010/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.2K 2020-12-01 15:29 QOH_Client.jar
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1337-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,9B,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-----
SF:--------------------------\nPlease\x20choose\x20an\x20option:\n1\.\x20S
SF:end\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\
SF:x20Exit\n\0")%r(GenericLines,146,"\nWelcome\x20to\x20the\x20'9\x20of\x2
SF:0Clubs'\x20service\.\n-------------------------------\nPlease\x20choose
SF:\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\
SF:.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x2
SF:0to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------------
SF:-------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20i
SF:nfo\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(Get
SF:Request,146,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\
SF:n-------------------------------\nPlease\x20choose\x20an\x20option:\n1\
SF:.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback
SF:\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20o
SF:f\x20Clubs'\x20service\.\n-------------------------------\nPlease\x20ch
SF:oose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings
SF:\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(HTTPOptions,146,"\nWelco
SF:me\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-------------------
SF:------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact
SF:\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unk
SF:nown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20servi
SF:ce\.\n-------------------------------\nPlease\x20choose\x20an\x20option
SF::\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20fee
SF:dback\n0\.\x20Exit\n\0")%r(RTSPRequest,146,"\nWelcome\x20to\x20the\x20'
SF:9\x20of\x20Clubs'\x20service\.\n-------------------------------\nPlease
SF:\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Gre
SF:etings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\n
SF:Welcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n--------------
SF:-----------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20co
SF:ntact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n
SF:\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5555-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,699,"\xff\xfd\"\xff\xfb\x01\x1b\[2J\x1b\[HSCORE:\x200\r\n\|\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x201\r\n\|\x20\x20\x20\x20\x20
SF:\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r
SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:|\r\n\x1b\[2J\x1b\[HSCORE:\x202\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x2
SF:0\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\
SF:n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b
SF:\[HSCORE:\x203\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|
SF:\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x200\|\r\n\|\x20\x20
SF:\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\
SF:r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x204\r\n\|
SF:\x20\x20\x200\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x
SF:20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\
SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r
SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9008-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
MAC Address: 0A:6C:D1:10:33:CD (Unknown)
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 172.17.0.15; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.75 ms target (172.15.18.117)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.48 seconds
