Skip to content

Network Discovery - Scan-ta Clause Banner

Network Discovery - Scan-ta Clause Logo

image Network Discovery - Scan-ta Clause | Advent of Cyber 2025 - Day 7

This guide contains the answer and steps necessary to get to them for the Network Discovery - Scan-ta Clause room.

Table of contents

Discover Network Services

  1. What evil message do you see on top of the website?

    We can do an nmap scan of the server to find any exposed applications.

    nmap -sV -p- 10.82.172.20 --script=banner

    This will run a stealth scan on all ports and display some more information about any exposed servies.

    Scan

    We can see there is a webserver active on port 80. This should be viewable in the browser.

    The answer can be found by navigating to the application hosted on the compromised server '10.82.172.20'.

    Message

    Click for answerPwned by HopSec

  2. What is the first key part found on the FTP server?

    Another service we found to be of interest is an FTP server on port 21212.

    We can connect to the server using ftp 10.82.172.20 21212. Use 'anonymous' as login name.

    We can now look through the directory and download any interesting files.

    ls
get tbfc_qa_key1 -

    Key1

    Click for answer3aster_

  3. What is the second key part found in the TBFC app?

    The app can be found on port 25251. Our best bet is to use netcat nc to connect to it. Doing so we can use the help command to find any handy commands.

    Looks like there is a simple command to get the key. Lets use that!

    nc 10.82.172.20 25251
HELP
GET KEY

    Key2

    Click for answer15_th3_

  4. What is the third key part found in the DNS records?

    For this key we will take a look at any open ports using UDP.

    nmap -sU 10.82.172.20

    Scan2

    We can see there is a service on port 53, which is usually used by DNS. Lets query it with the given command.

    dig @10.81.184.96 TXT key3.tbfc.local +short

    Key3

    Here we are given our third key in return.

    Click for answern3w_xm45

  5. Which port was the MySQL database running on?

    Now that we have our three keys we can unlock the dashboard.

    Website

    Combine all three keys and add them to the box. Now we should get access to the secret terminal.

    Unlock

    Here we can run ss -tulnp to list its open ports.

    Console

    We can see the default MySQL port is open.

    Click for answer3306

  6. Finally, what's the flag you found in the database?

    To enumerate the database, we will use mysql. Since we are logged into the host, we shouldn't need to autheticate to the database and can directly access it. We are given the database name to use.

    mysql -D tbfcqa01
show tables;
select * from flags;

    Flag

    Click for answerTHM{4ll_s3rvice5_d1sc0vered}

  7. If you enjoyed today's room, feel free to check out theNmap: The Basicsroom.