path: root/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
diff options
authorMalfurious <>2021-08-11 01:12:37 -0400
committerMalfurious <>2021-08-11 01:12:37 -0400
commitcaf24aa1eeded533824c01f7289ec3b7cdc84634 (patch)
tree46181ea4220587e7a815eccd609e5e1c57e33892 /docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
parentf6ef9b862e8b9826a834a58a286f0a99319bc00e (diff)
parent452ba0102dcc2674fa1323143c4849c628c7603d (diff)
Merge tag 'pull-duso-metasploit-writeups' of
Dusoleil's Writeups for the Metasploit Community CTF 2020 * tag 'pull-duso-metasploit-writeups' of Dusoleil's Writeups from Metasploit Community CTF 2020
Diffstat (limited to 'docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt')
1 files changed, 240 insertions, 0 deletions
diff --git a/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt b/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
new file mode 100644
index 0000000..353c6e3
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/target_scan.txt
@@ -0,0 +1,240 @@
+Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
+Starting Nmap 7.80 ( ) at 2020-12-05 05:20 UTC
+Nmap scan report for target (
+Host is up (0.00075s latency).
+Not shown: 65505 closed ports
+### welcome page (we solved)
+80/tcp open http nginx 1.19.5
+|_http-server-header: nginx/1.19.5
+|_http-title: Metasploit CTF
+## proxy. found a flag on a webserver that was only available through localhost (solved)
+1080/tcp open socks5 (No authentication; connection failed)
+| socks-auth-info:
+|_ No authentication
+### basic format string read flag out of memory (solved)
+1337/tcp open waste?
+| fingerprint-strings:
+| GenericLines, GetRequest, HTTPOptions, RTSPRequest:
+| Welcome to the '9 of Clubs' service.
+| -------------------------------
+| Please choose an option:
+| Send contact info
+| Greetings
+| Send feedback
+| Exit
+| Unknown option.
+| Welcome to the '9 of Clubs' service.
+| -------------------------------
+| Please choose an option:
+| Send contact info
+| Greetings
+| Send feedback
+| Exit
+| NULL:
+| Welcome to the '9 of Clubs' service.
+| -------------------------------
+| Please choose an option:
+| Send contact info
+| Greetings
+| Send feedback
+|_ Exit
+### Buffalo RE (we solved)
+4545/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5)
+|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
+|_http-title: Directory listing for /
+### simple dodge falling rocks game needs a bot (solved)
+5555/tcp open telnet
+| fingerprint-strings:
+| NULL:
+| [HSCORE: 0
+| [HSCORE: 1
+| [HSCORE: 2
+| [HSCORE: 3
+|_ [HSCORE: 4
+### Photos5u flag was just in one of the "other user"'s files which are publically open (solved)
+6868/tcp open http WSGIServer 0.2 (Python 3.8.5)
+|_http-server-header: WSGIServer/0.2 CPython/3.8.5
+|_http-title: Photos5u
+### comes up and lets you retrieve the flag once you beat 5555 game (solved)
+7878/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5)
+|_http-server-header: SimpleHTTP/0.6 Python/3.8.5
+|_http-title: Directory listing for /
+### Guest -- guess other username (we solved)
+8080/tcp open http Apache httpd 2.4.38 ((Debian))
+|_http-open-proxy: Proxy might be redirecting requests
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Site doesn't have a title (text/html).
+### vuln == in php (solved)
+8092/tcp open http Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+### Make metasploit module
+8101/tcp open http Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: 5 of Clubs Frontend
+### we have the password hash, salt, and width/alphabet of the rest. hashcat saves the day: ihatesaltalot7 (solved)
+8123/tcp open http WSGIServer 0.2 (Python 3.8.5)
+|_http-server-header: WSGIServer/0.2 CPython/3.8.5
+|_http-title: Salt Free Hashes
+### Image upload (we solved)
+8200/tcp open http Apache httpd 2.4.38 ((Debian))
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Home
+### redirects to vhost. says to use other subdomains, but what are they?
+8201/tcp open http nginx 1.19.5
+|_http-server-header: nginx/1.19.5
+|_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201
+### obfuscated graphql queries. "all posts" query not authenticated and leaks url to flag (solved)
+8202/tcp open http nginx 1.19.5
+|_http-server-header: nginx/1.19.5
+|_http-title: Site doesn't have a title (text/html).
+### Metasploit modules looks like something to do with the session cookie
+8888/tcp open http Werkzeug httpd 1.0.1 (Python 3.8.5)
+|_http-title: Home
+### Game library (we solved)
+9000/tcp open http WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25))
+|_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25)
+|_http-title: Site doesn't have a title (text/html;charset=utf-8).
+### Game reviews (we solved)
+9001/tcp open http Thin httpd
+|_http-server-header: thin
+|_http-title: Site doesn't have a title (text/html;charset=utf-8).
+### Broken zip file (we solved)
+9007/tcp open http Apache httpd 2.4.46 ((Unix))
+| http-methods:
+|_ Potentially risky methods: TRACE
+|_http-server-header: Apache/2.4.46 (Unix)
+|_http-title: Index of /
+### QOH(9010) server. if sent a GET from a browser, it returns 4 bytes (ACED0005) (solved)
+9008/tcp open java-object Java Object Serialization
+### admin/password /etc/ace_of_clubs.png owned by root setuid /opt/vpn_connect (solved)
+9009/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA)
+| 256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA)
+|_ 256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519)
+### Jar file - wireshare protocol vuln (solved)
+9010/tcp open http Apache httpd 2.4.38
+| http-ls: Volume /
+| 3.2K 2020-12-01 15:29 QOH_Client.jar
+|_http-server-header: Apache/2.4.38 (Debian)
+|_http-title: Index of /
+3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at :
+MAC Address: 0A:6C:D1:10:33:CD (Unknown)
+Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%)
+No exact OS matches for host (test conditions non-ideal).
+Network Distance: 1 hop
+Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+1 0.75 ms target (
+OS and Service detection performed. Please report any incorrect results at .
+Nmap done: 1 IP address (1 host up) scanned in 245.48 seconds