Skip to main content
HashnodeBreaking Into Pentesting

Command Palette

Search for a command to run...

Day 7: Network Recon & Reclaiming the QA Server

Published
3 min read
Z
ZeroTrust Ops

The Mission: Breach at the QA Environment

The 24-hour speed run intensity is peaking as I hit Day 7: "Network Discovery — Scan-ta Clause." The rogue group HopSec has breached the TBFC QA environment (tbfc-devqa01) and locked the staff out. Without this server, the entire "SOC-mas" pipeline is frozen. My task: investigate the network, find three hidden fragments of a passphrase, and reclaim the server from the "bad bunnies".

Reconnaissance: Peeling Back the Layers

I started by identifying the target IP and running a standard Nmap scan to see which doors were left open.

Initial Scan: A basic scan of the top 1000 ports revealed only Port 22 (SSH) and Port 80 (HTTP).

The Obstacle: Visiting the website on port 80 showed it had been defaced by HopSec with the message: "Pwned by HopSec". The bunnies taunted that the passphrase fragments were scattered across the network.

Deep Scan: Finding Hidden Services

Since standard ports were a dead end, I expanded the search to scan all 65,535 ports using the -p- flag and enabled banner grabbing with --script=banner to identify what was actually running behind those numbers.

Key 1: The Misconfigured FTP The deep scan revealed a non-standard FTP server running on Port 21212.

Exploit: I connected using the ftp command and entered anonymous as the username.

Result: I found a file named tbfc_qa_key1. Using the get command, I retrieved the first passphrase fragment: 3aster_.

Key 2: The Custom Application The scan also found an unknown service on Port 25251.

Exploit: Since this wasn't a standard protocol, I used Netcat (nc) to interact with the service. After typing HELP, I discovered a GET KEY command.

Result: The service returned the second fragment: 15_th3_.

Key 3: Diving into UDP Attackers often hide secrets on UDP ports, which are slower to scan and frequently overlooked. I ran a UDP scan (-sU) and discovered Port 53 (DNS) was open.

Exploit: Using the dig tool for advanced DNS queries, I queried the server for a TXT record.

Result: The DNS server coughed up the final fragment: n3w_xm45.

The Final Breakthrough: Database Access

With all fragments in hand (3aster_15_th3_n3w_xm45), I unlocked the secret admin console on the web server.

Once inside the host, I didn't need Nmap; I used the command ss -tunlp to list "listening" ports directly from the OS. I spotted MySQL running internally on Port 3306. By querying the database tables, I extracted the final flag from the flags table: THM{4ll_s3rvice5_d1sc0vered}.

Analogy for Network Discovery: Think of Nmap like a locksmith walking through a massive hotel with 65,535 rooms. A basic scan only checks the front door and the lobby. A "whole range" scan is the locksmith trying every single handle in the building to find the one utility closet—hidden on the 21st floor—that was accidentally left unlocked.

#nmap#network-discovery#port-scanning#netcat#dns#mysql#ethical-hacking
2 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Breaking Into Pentesting

24 posts

From zero to junior penetration tester – documenting my daily journey into offensive security.