Network challenges

Solution of Touch1

Find the ssh service on in the portrange 800-900. Morten is a user of that service. His password is an A-HA song title. (format: Capital for each starting letter without spaces e.g. TakeOnMe )

First, we need to identify the place of the ssh service. With portscan the answering services can be found in the specified port range. To find ssh services we need to use version detection as well. The following nmap command lists the services with the version numbers: nmap -sV -p800-900 As we can see according to nmap there are two ssh services, one on port 825 and one on 826.

Let's try to interact with the services. We start with the one on port 825. If we use ssh on port 825 with the ssh 825 command, we are asked to give a password.

According to the challenge description the password is an AHA song without spaces, so we need to download all AHA songs without spaces into a dictionary file, and brute force. There is a WikiPedia page which contains all AHA songs ( ). The brackets and other unnecessary contents have to be removed. By using the command nano aha.txt we create our dictionary as a txt file. The next step is to try all the combinations out to log in to the ssh service, so what we are going to do here is brute-forcing. One of the best brute-forcing tool is hydra. It supports many protocols including ssh, so it looks perfect for us now. Hydra has a difficult syntax. With the lowercase -l we specify only one username for the brute-force and this is Morten with capital M. On the other hand we also use the -P switch to provide the passwords. Since this is a capital P (lowercase p would mean only one password), we are referring here to a password file, the one we have already made. For the service we just type ssh:// and the name of the server. So the command again: hydra -l Morten -P aha.txt ssh:// Now Hydra will try all the combinations and after a while we can see the password is AngelInTheSnow.

Let's try to log in to the service. By logging in using the command: ssh -l Morten -p 825 or ssh -p 825, we can execute commands.

With the ls command we can list the files, there is a flag.txt. With the cat command we can see the content of the flag.