Network Discovery - Scan-ta Clause Banner

Network Discovery - Scan-ta Clause Logo

Network Discovery - Scan-ta Clause | Advent of Cyber 2025 - Day 7

This guide contains the answer and steps necessary to get to them for the Network Discovery - Scan-ta Clause room.

Discover Network Services

Discover Network Services

What evil message do you see on top of the website?

We can do an nmap scan of the server to find any exposed applications.
cmd
```
nmap -sV -p- 10.82.172.20 --script=banner
```
This will run a stealth scan on all ports and display some more information about any exposed servies.

We can see there is a webserver active on port 80. This should be viewable in the browser.

The answer can be found by navigating to the application hosted on the compromised server '10.82.172.20'.

Click for answer
Pwned by HopSec
What is the first key part found on the FTP server?

Another service we found to be of interest is an FTP server on port 21212.

We can connect to the server using ftp 10.82.172.20 21212. Use 'anonymous' as login name.

We can now look through the directory and download any interesting files.
cmd
```
ls
get tbfc_qa_key1 - 
```
Click for answer
3aster_
What is the second key part found in the TBFC app?

The app can be found on port 25251. Our best bet is to use netcat nc to connect to it. Doing so we can use the help command to find any handy commands.

Looks like there is a simple command to get the key. Lets use that!
cmd
```
nc 10.82.172.20 25251
HELP
GET KEY
```
Click for answer
15_th3_
What is the third key part found in the DNS records?

For this key we will take a look at any open ports using UDP.
cmd
```
nmap -sU 10.82.172.20
```
We can see there is a service on port 53, which is usually used by DNS. Lets query it with the given command.
cmd
```
dig @10.81.184.96 TXT key3.tbfc.local +short
```
Here we are given our third key in return.

Click for answer
n3w_xm45
Which port was the MySQL database running on?

Now that we have our three keys we can unlock the dashboard.

Combine all three keys and add them to the box. Now we should get access to the secret terminal.

Here we can run ss -tulnp to list its open ports.

We can see the default MySQL port is open.

Click for answer
3306
Finally, what's the flag you found in the database?

To enumerate the database, we will use mysql. Since we are logged into the host, we shouldn't need to autheticate to the database and can directly access it. We are given the database name to use.
cmd
```
mysql -D tbfcqa01
show tables;
select * from flags;
```
Click for answer
THM{4ll_s3rvice5_d1sc0vered}
If you enjoyed today's room, feel free to check out theNmap: The Basicsroom.

Table of contents

Discover Network Services

What evil message do you see on top of the website?

We can do an nmap scan of the server to find any exposed applications.

cmd

nmap -sV -p- 10.82.172.20 --script=banner

This will run a stealth scan on all ports and display some more information about any exposed servies.

Scan

We can see there is a webserver active on port 80. This should be viewable in the browser.

The answer can be found by navigating to the application hosted on the compromised server '10.82.172.20'.

Message

Click for answer
Pwned by HopSec

What is the first key part found on the FTP server?

Another service we found to be of interest is an FTP server on port 21212.

We can connect to the server using ftp 10.82.172.20 21212. Use 'anonymous' as login name.

We can now look through the directory and download any interesting files.

cmd

ls
get tbfc_qa_key1 -

Key1

Click for answer
3aster_

What is the second key part found in the TBFC app?

The app can be found on port 25251. Our best bet is to use netcat nc to connect to it. Doing so we can use the help command to find any handy commands.

Looks like there is a simple command to get the key. Lets use that!

cmd

nc 10.82.172.20 25251
HELP
GET KEY

Key2

Click for answer
15_th3_

What is the third key part found in the DNS records?

For this key we will take a look at any open ports using UDP.

cmd

nmap -sU 10.82.172.20

Scan2

We can see there is a service on port 53, which is usually used by DNS. Lets query it with the given command.

cmd

dig @10.81.184.96 TXT key3.tbfc.local +short

Key3

Here we are given our third key in return.

Click for answer
n3w_xm45

Which port was the MySQL database running on?

Now that we have our three keys we can unlock the dashboard.

Website

Combine all three keys and add them to the box. Now we should get access to the secret terminal.

Unlock

Here we can run ss -tulnp to list its open ports.

Console

We can see the default MySQL port is open.

Click for answer
3306

Finally, what's the flag you found in the database?

To enumerate the database, we will use mysql. Since we are logged into the host, we shouldn't need to autheticate to the database and can directly access it. We are given the database name to use.

cmd

mysql -D tbfcqa01
show tables;
select * from flags;

Flag

Click for answer
THM{4ll_s3rvice5_d1sc0vered}

If you enjoyed today's room, feel free to check out theNmap: The Basicsroom.