Scanning & Reconnaissance Challenge 3 - Verified

Prompt

Liber8tion left a server exposed on the public internet. Can you scan it and see if you can get access to any of the running services? The hostname for the server is target.

Answers

Q1 (15 pts) - How many open TCP ports are there on the server?
5

Q2 (15 pts) - What user can access the service on the lowest port? Note: there are two valid answers
ftp

Q3 (15 pts) - What is the old password from the service in Q2?
Liber8tin-the-countryside

Q4 (15 pts) - One service operates on two different ports; from scanning (nmap) output what service specific command can you successfully use against the server for username enumeration?
VRFY

Q5 (15 pts) - What is the username that exists on the server? (Format: user@domain.com)
Lina25@liber8tion.rocks

Q6 (25 pts) - What is the flag found in a message?
SKY-ZCHG-9335

Steps I Took

for q1 - did an nmap scan and counted all the open tcp ports there were 5

Q2 — in the nmap scan, it shows who is logged into the ftp server

for q3, logged into the ftp server with the username anonymous no passowrd

I navigated to the public directory and used get on old_pw.

Q4 — I noticed that VRFY appeared in two places, which gave me the answer.

Q5 — I went back to the FTP server and downloaded email-list.txt. I looked up ways to automate the verification process and found smtp-user-enum, but I decided not to rely on it because I was not sure it would be available in the NCL terminal.

After more testing, I ended up checking VRFY manually for each entry. My first set of attempts all failed, and I believe the issue was a typing mistake in the earlier commands.

Q6 — Took the old password and the discovered user and logged into IMAP

nc 10.5.222.68 143

a login Lina25@liber8tion.rocks Liber8tin-the-countryside
a list "" "*"
a select inbox
a fetch 1:* body[]