Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-05 05:20 UTC Nmap scan report for target (172.15.18.117) Host is up (0.00075s latency). Not shown: 65505 closed ports PORT STATE SERVICE VERSION ### welcome page (we solved) 80/tcp open http nginx 1.19.5 |_http-server-header: nginx/1.19.5 |_http-title: Metasploit CTF ## proxy. found a flag on a webserver that was only available through localhost (solved) 1080/tcp open socks5 (No authentication; connection failed) | socks-auth-info: |_ No authentication ### basic format string read flag out of memory (solved) 1337/tcp open waste? | fingerprint-strings: | GenericLines, GetRequest, HTTPOptions, RTSPRequest: | Welcome to the '9 of Clubs' service. | ------------------------------- | Please choose an option: | Send contact info | Greetings | Send feedback | Exit | Unknown option. | Welcome to the '9 of Clubs' service. | ------------------------------- | Please choose an option: | Send contact info | Greetings | Send feedback | Exit | NULL: | Welcome to the '9 of Clubs' service. | ------------------------------- | Please choose an option: | Send contact info | Greetings | Send feedback |_ Exit ### Buffalo RE (we solved) 4545/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5) |_http-server-header: SimpleHTTP/0.6 Python/3.8.5 |_http-title: Directory listing for / ### simple dodge falling rocks game needs a bot (solved) 5555/tcp open telnet | fingerprint-strings: | NULL: | [HSCORE: 0 | [HSCORE: 1 | [HSCORE: 2 | [HSCORE: 3 |_ [HSCORE: 4 ### Photos5u flag was just in one of the "other user"'s files which are publically open (solved) 6868/tcp open http WSGIServer 0.2 (Python 3.8.5) |_http-server-header: WSGIServer/0.2 CPython/3.8.5 |_http-title: Photos5u ### comes up and lets you retrieve the flag once you beat 5555 game (solved) 7878/tcp open http SimpleHTTPServer 0.6 (Python 3.8.5) |_http-server-header: SimpleHTTP/0.6 Python/3.8.5 |_http-title: Directory listing for / ### Guest -- guess other username (we solved) 8080/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). ### vuln == in php (solved) 8092/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). ### Make metasploit module 8101/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: 5 of Clubs Frontend ### we have the password hash, salt, and width/alphabet of the rest. hashcat saves the day: ihatesaltalot7 (solved) 8123/tcp open http WSGIServer 0.2 (Python 3.8.5) |_http-server-header: WSGIServer/0.2 CPython/3.8.5 |_http-title: Salt Free Hashes ### Image upload (we solved) 8200/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Home ### redirects to vhost. says to use other subdomains, but what are they? 8201/tcp open http nginx 1.19.5 |_http-server-header: nginx/1.19.5 |_http-title: Did not follow redirect to http://intranet.metasploit.ctf:8201 ### obfuscated graphql queries. "all posts" query not authenticated and leaks url to flag (solved) 8202/tcp open http nginx 1.19.5 |_http-server-header: nginx/1.19.5 |_http-title: Site doesn't have a title (text/html). ### Metasploit modules looks like something to do with the session cookie 8888/tcp open http Werkzeug httpd 1.0.1 (Python 3.8.5) |_http-title: Home ### Game library (we solved) 9000/tcp open http WEBrick httpd 1.6.0 (Ruby 2.7.0 (2019-12-25)) |_http-server-header: WEBrick/1.6.0 (Ruby/2.7.0/2019-12-25) |_http-title: Site doesn't have a title (text/html;charset=utf-8). ### Game reviews (we solved) 9001/tcp open http Thin httpd |_http-server-header: thin |_http-title: Site doesn't have a title (text/html;charset=utf-8). ### Broken zip file (we solved) 9007/tcp open http Apache httpd 2.4.46 ((Unix)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (Unix) |_http-title: Index of / ### QOH(9010) server. if sent a GET from a browser, it returns 4 bytes (ACED0005) (solved) 9008/tcp open java-object Java Object Serialization ### admin/password /etc/ace_of_clubs.png owned by root setuid /opt/vpn_connect (solved) 9009/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4c:0f:d8:c5:a2:f1:54:f9:92:30:df:62:1f:52:e6:fe (RSA) | 256 6e:b8:6f:94:e6:c0:2f:15:0c:80:71:32:cb:d0:2a:00 (ECDSA) |_ 256 8a:55:03:98:8e:87:29:50:66:1a:57:4c:5b:10:a4:01 (ED25519) ### Jar file - wireshare protocol vuln (solved) 9010/tcp open http Apache httpd 2.4.38 | http-ls: Volume / | SIZE TIME FILENAME | 3.2K 2020-12-01 15:29 QOH_Client.jar |_ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Index of / 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port1337-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU SF:LL,9B,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n----- SF:--------------------------\nPlease\x20choose\x20an\x20option:\n1\.\x20S SF:end\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\ SF:x20Exit\n\0")%r(GenericLines,146,"\nWelcome\x20to\x20the\x20'9\x20of\x2 SF:0Clubs'\x20service\.\n-------------------------------\nPlease\x20choose SF:\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\ SF:.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x2 SF:0to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------------ SF:-------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20i SF:nfo\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(Get SF:Request,146,"\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\ SF:n-------------------------------\nPlease\x20choose\x20an\x20option:\n1\ SF:.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback SF:\n0\.\x20Exit\n\0Unknown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20o SF:f\x20Clubs'\x20service\.\n-------------------------------\nPlease\x20ch SF:oose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings SF:\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0")%r(HTTPOptions,146,"\nWelco SF:me\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n------------------- SF:------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20contact SF:\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unk SF:nown\x20option\.\n\nWelcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20servi SF:ce\.\n-------------------------------\nPlease\x20choose\x20an\x20option SF::\n1\.\x20Send\x20contact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20fee SF:dback\n0\.\x20Exit\n\0")%r(RTSPRequest,146,"\nWelcome\x20to\x20the\x20' SF:9\x20of\x20Clubs'\x20service\.\n-------------------------------\nPlease SF:\x20choose\x20an\x20option:\n1\.\x20Send\x20contact\x20info\n2\.\x20Gre SF:etings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n\0Unknown\x20option\.\n\n SF:Welcome\x20to\x20the\x20'9\x20of\x20Clubs'\x20service\.\n-------------- SF:-----------------\nPlease\x20choose\x20an\x20option:\n1\.\x20Send\x20co SF:ntact\x20info\n2\.\x20Greetings\n3\.\x20Send\x20feedback\n0\.\x20Exit\n SF:\0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port5555-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU SF:LL,699,"\xff\xfd\"\xff\xfb\x01\x1b\[2J\x1b\[HSCORE:\x200\r\n\|\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x201\r\n\|\x20\x20\x20\x20\x20 SF:\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:|\r\n\x1b\[2J\x1b\[HSCORE:\x202\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x2 SF:0\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\ SF:n\|\x20\^\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b SF:\[HSCORE:\x203\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\| SF:\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x200\|\r\n\|\x20\x20 SF:\x20\x20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\ SF:r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\^\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\x1b\[2J\x1b\[HSCORE:\x204\r\n\| SF:\x20\x20\x200\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x SF:20\x20\x200\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x200\|\r\n\|\x20\x20\x20\x20\x20\x200\x20\x20\x20\x20\ SF:x20\x20\|\r\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r SF:\n\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\r\n\|\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port9008-TCP:V=7.80%I=7%D=12/5%Time=5FCB188B%P=x86_64-pc-linux-gnu%r(NU SF:LL,4,"\xac\xed\0\x05"); MAC Address: 0A:6C:D1:10:33:CD (Unknown) Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%), Linux 2.6.32 - 2.6.35 (94%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: 172.17.0.15; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.75 ms target (172.15.18.117) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 245.48 seconds