We’re going to break up our Hack the Box streak and switch over to doing a TryHackMe challenge this time called Intermediate Nmap. It is a premium room, which means that you have to be a subscriber to play along. If you aren’t a subscriber and you aren’t interested in becoming one, hopefully you can follow along and still learn or reinforce your learning with this walkthrough.
Here’s the description:
You’ve learned some great nmap skills! Now can you combine that with other skills with netcat and protocols, to log in to this machine and find the flag? This VM is listening on a high port, and if you connect to it it may give you some information you can use to connect to a lower port commonly used for remote access!
There is only one thing to answer for this room and it turns out that all they want is a flag. So let’s get after it. You can se the AttackBox or your own machine. I’m using my own Kali VM here, so I’ve downloaded my openvpn config file and I connect like this
sudo openvpn ~/Downloads/ThmPremium.ovpn
In my case, the IP of the machine is 10.64.156.76, so the first thing I do is give it enough time and then make sure that a) it is up and b) that I can see it through my VPN connection (this isn’t always a guarantee and I’ve had to get a newer config file in the past and reconnect and try again). After seeing some responses from the ping, I hit CTRL-C to stop it and move on
$ ping 10.64.156.76 PING 10.64.156.76 (10.64.156.76) 56(84) bytes of data. 64 bytes from 10.64.156.76: icmp_seq=1 ttl=62 time=67.8 ms 64 bytes from 10.64.156.76: icmp_seq=2 ttl=62 time=89.0 ms 64 bytes from 10.64.156.76: icmp_seq=3 ttl=62 time=73.8 ms 64 bytes from 10.64.156.76: icmp_seq=4 ttl=62 time=50.8 ms ^C --- 10.64.156.76 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 50.790/70.361/89.006/13.682 ms
The next step is to run an nmap scan. They told us that there is a high port available as a hint. So, I’m not going to play around and I’m going to start by checking all TCP ports (-p-). This can take longer, especially when you are on a VPN instead of the AttackBox, but I don’t mind. The -T4 helps speed it up and I don’t mind waiting. As it is, this came back in about 13 seconds for me. The –sCV tells nmap to run default scripts (C) and to try to determine versions (V) of the services running.
$ nmap -sCV -p- -T4 10.64.156.76 Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-25 12:13 -0400 Nmap scan report for 10.64.156.76 Host is up (0.031s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 7d:dc:eb:90:e4:af:33:d9:9f:0b:21:9a:fc:d5:77:f2 (RSA) | 256 83:a7:4a:61:ef:93:a3:57:1a:57:38:5c:48:2a:eb:16 (ECDSA) |_ 256 30:bf:ef:94:08:86:07:00:f7:fc:df:e8:ed:fe:07:af (ED25519) 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0b:8d:7c:be:ac:e7:ae:f5:29:c5:61:eb:fa:c1:93:c2 (RSA) | 256 3d:16:86:a3:ee:9d:3a:8b:d1:00:3a:70:d2:20:e5:d9 (ECDSA) |_ 256 c1:fa:11:55:97:53:bb:a5:0b:8a:61:c0:12:60:ad:52 (ED25519) 31337/tcp open Elite? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | In case I forget - user:pass |_ ubuntu:Dafdas!!/str0ng 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port31337-TCP:V=7.99%I=7%D=6/25%Time=6A3D53BA%P=x86_64-pc-linux-gnu%r(N SF:ULL,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/st SF:r0ng\n\n")%r(GetRequest,35,"In\x20case\x20I\x20forget\x20-\x20user:pass SF:\nubuntu:Dafdas!!/str0ng\n\n")%r(SIPOptions,35,"In\x20case\x20I\x20forg SF:et\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(GenericLines,35,"I SF:n\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n" SF:)%r(HTTPOptions,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu SF::Dafdas!!/str0ng\n\n")%r(RTSPRequest,35,"In\x20case\x20I\x20forget\x20- SF:\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(RPCCheck,35,"In\x20case\x SF:20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(DNSVers SF:ionBindReqTCP,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:D SF:afdas!!/str0ng\n\n")%r(DNSStatusRequestTCP,35,"In\x20case\x20I\x20forge SF:t\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(Help,35,"In\x20case SF:\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(SSLSe SF:ssionReq,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas SF:!!/str0ng\n\n")%r(TerminalServerCookie,35,"In\x20case\x20I\x20forget\x2 SF:0-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(TLSSessionReq,35,"In\x2 SF:0case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r( SF:Kerberos,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas SF:!!/str0ng\n\n")%r(SMBProgNeg,35,"In\x20case\x20I\x20forget\x20-\x20user SF::pass\nubuntu:Dafdas!!/str0ng\n\n")%r(X11Probe,35,"In\x20case\x20I\x20f SF:orget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(FourOhFourReque SF:st,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str SF:0ng\n\n")%r(LPDString,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\n SF:ubuntu:Dafdas!!/str0ng\n\n")%r(LDAPSearchReq,35,"In\x20case\x20I\x20for SF:get\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(LDAPBindReq,35,"I SF:n\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n" SF:)%r(LANDesk-RC,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu: SF:Dafdas!!/str0ng\n\n")%r(TerminalServer,35,"In\x20case\x20I\x20forget\x2 SF:0-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.83 seconds
So, interesting. I see 3 ports open: 22 (running SSH), 2222 (running SSH), and 31337 (service unrecognized despite returning data) that tells us, “In case I forget – user:pass ubuntu:Dafdas!!/str0ng”
I decided to netcat directly to port 31337 and I just got that message and then the connection was closed. So that is seemingly all there is to find from that port.
$ nc 10.64.156.76 31337 In case I forget - user:pass ubuntu:Dafdas!!/str0ng
Okay. Well, we have 2 ports open with SSH, let’s try them in order.
$ ssh ubuntu@10.64.156.76 The authenticity of host '10.64.156.76 (10.64.156.76)' can't be established. ED25519 key fingerprint is: SHA256:8VuYGtc5lO2sXK+MVsdbgQV9nF+EVHf8wJcrMAEWg10 This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.64.156.76' (ED25519) to the list of known hosts. ubuntu@10.64.156.76's password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1014-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $
That worked. When I try port 2222, I get rejected immediately for not providing a public key.
$ ssh ubuntu@10.64.156.76 -p 2222 The authenticity of host '[10.64.156.76]:2222 ([10.64.156.76]:2222)' can't be established. ED25519 key fingerprint is: SHA256:31v1b7mqLgFtZOZP/4qvBzUw5AzWmecr4m6GLPgDRJs This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.64.156.76]:2222' (ED25519) to the list of known hosts. ubuntu@10.64.156.76: Permission denied (publickey).
So, let’s keep working in that port 22 connection.
$ ls
$ pwd
/home/ubuntu
$ ls -la
total 28
drwxr-xr-x 1 ubuntu ubuntu 4096 Jun 25 16:18 .
drwxr-xr-x 1 root root 4096 Mar 2 2022 ..
-rw-r--r-- 1 ubuntu ubuntu 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Feb 25 2020 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Jun 25 16:18 .cache
-rw-r--r-- 1 ubuntu ubuntu 807 Feb 25 2020 .profile
$ find / -name flag.txt 2>/dev/null
/home/user/flag.txt
$ cat /home/user/flag.txt
flag{251f309497a18888dde5222761ea88e4}
So, I expected to find a flag in the directory. There wasn’t one. So I checked where I landed and it was /home/ubutu, as I figured. So, I checked for hidden contents and there was nothing really there. Lastly, I took a shot and just searched the entire computer for a file named flag.txt (piping errors to /dev/null). If that came up with nothing, my next step would have been to look for user.txt, which is another popular flag file name. But, that proved not to be necessary, and I found the file and was able to cat its contents to the screen and finish the challenge. Pretty light work, but a good exercise in some of the just-beyond-basic-but-not-a-whole-lot uses of nmap.
Any questions or comments, let me know.
