• nmap -O -v 172.18.33.

0/24

-O will give the OS information for each host of the IP range.

-v is print the output in a long and detailed way.

The whole command used to show us all the IP’s in the network with their ports as it shows
in the screenshot below including the states of the ports also it displays the mac address and
the running OS and it shows if it's a guest or a host through the Oracle VirtualBox virtual
NIC, also we should look for any Linux operating system version and we found two which
are 172.18.33.51 and the other IP 172.18.33.33.

Nmap is a tool that we used for Footprinting.

After we discover the two IP's that it's related to the Linux operating system and it shows
many of the details about each IP that related to Linux.

1
Then we scan each of these IP’s using the command which is:

• nmap -O -A -sT -v -T5 <IP’s that related to Linux version>

This command is reporting information about the specific host

-O is will give the OS information for each host of the network in the range.

-A is like the -O but it’s more detailed.

-sT the type of scan that I want to use (T mean I’m making a full connection and talking to
the port which is the three handshakes).

-v is print the output in a long and detailed way.

-T5 is for timing so I use T4 or T5 to be fasting the scanning process of the IP, T4 is slower
than T5.

2
Here we know that this is the target IP address because in the screenshot it's saying that it's
Fedora version and the website title is Monther's website which makes us sure that this is the
target.

Here we use command nmap -p-

following with the IP address of
the target machine to scan all the
ports that they are available. It's
shows for us that 65529 are closed
port while 6 are open as it shows in
the screenshot, following with the
MAC address. After that, we try to
connect to each the of ports and
each port that will show a result we
will show in the following
screenshots.

3
 Next step is when we connect to
the ftp port following with the IP
address of the victim’s machine
and it shows a flag.

We connect to 9090 port as it's showing in

the browser, so we put http:// then the IP
address of the victim’s machine following
with colon and then the port 9090 and it
shows a not secure page we click on
advanced and then it's showed this website
which displays another flag.

4
We connect to 13337port as its showing in the browser, so we put http:// then the IP address of the victim’s
machine following with colon and then the port 13337 the colon means to not cut off this port, also it
shows a message and we found a flag.

We connect to 80 port as its showing in the browser, so we put http:// then the IP address of the victim’s
machine following with colon and then the port 80 the colon means to not cut off this port, also it shows a
picture of Monther's cool website with funny picture that's mean we connected to the port successfully but
nothing interesting here.

5
We use dirb with http:// then
the IP address of the victim
machine , dirb is used to
show all the URL’s (hidden
web pages) that contain files
and these files contain hints
that can help us in the next
attacking step like we click
on the robots.txt URL it
benefits us because we figure
out the trace tool machine for
the command injection, the
index.html and many other
URL’s some of them may
not be useful.

When we click on one of the

URL’s which is index.html
this page displayed which
contain a lot of files that may
be useful.

6
We opened FLAG.txt in the index and we found a flag. Then we opened passwords.html and we found
this:

Then what we did is finding the source code for the page and guess what we found a password.

The other link which is 172.18.33.33 /robot.txt contains:

7
 We kept trying the links that we found on the robot.txt and we found this page.

We type the victim IP address and we use; to end this IP and then we use command head -n which shows
the top lines that it can contain the username of the victim machine, cat command to view what is in the
passwd file. Cat command was not useful in that case so that is why we used head. This step is called
command injection.

8
After we clicked trace it’s displayed many lines and we figure out that Summer is the username because
it’s related to the hint that was given which is the password:” winter”.

We use nc command for initiating and starting TCP connections to a remote host on a specific port
(60000). Then we type ls because we already connect to the victim machine so ls is to show and display
any useful directories or files, then we type cat FLAG.txt to open the file which will show what this file
contains so we found a flag.

9
We logged in as Summer user using ssh Summer@172.18.33.26 this command used to connect to the
local host of the Summer and we display the files in the victim machine using ls command.

Next, we kept trying open the files that we found on the victim machine so when we opened FLAG.txt
using head -n 100 cat FALG.txt and we found a flag.

We tried to unzip the journal.txt.zip and open it but it asked us for a password so what we did
we kept opening the files and we found the password in Safe_Password.jpg using head
command and the password is:” Meeseek”.

Then we went back to the zip folder and we unzipped using unzip journal.txt.zip and we
opened using head command then we entered the password “Meeseek” and we found a flag.

10