Avatar

Labs / Nmap Lab 101

  • Very Easy
  • Released 10 Feb 2025
The lab needs to be started first.
Need help to start?
Very Easy

Learning Lab 101 - Walkthrough

A detailed step-by-step guide to solving the lab and capturing the flag.

Lab Overview

This lab introduces you to the basics of web server reconnaissance and accessing web content.

  • Platform: HackerDna
  • Lab Name: Learning Lab 101
  • Target IP: Provided in your lab environment
  • Objective: Find and capture the flag located in a file called flag.txt on a web server
Question: What command-line tool is commonly used to check the reachability of a host?
Answer: ping

The ping command sends ICMP echo request packets to the target and waits for ICMP echo reply packets, allowing you to verify if a host is reachable on the network.

Step 1: Installing and Using Nmap

What is Nmap? Nmap (Network Mapper) is a free tool used to discover computers and services on a network. It helps identify what ports are open and what services are running on a target system.

Question: What tool is commonly used to perform port scanning and identify open ports on a network?
Answer: Nmap

Nmap (Network Mapper) is widely used for network discovery and security auditing. It can identify open ports, determine what services are running, and even detect operating system information.

Installing Nmap

Before we can use Nmap, we need to install it on your computer:

For Windows Users
  1. Go to the Nmap Download Page
  2. Download the latest "Self-installer" version
  3. Run the downloaded file and follow the installation prompts
  4. After installation, you can run Nmap from the Command Prompt or PowerShell
For Linux Users (Ubuntu/Debian)

Open a terminal and run:

sudo apt update
sudo apt install nmap -y
For MacOS Users

If you have Homebrew installed, open Terminal and run:

brew install nmap

If you don't have Homebrew, install it first by running:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Running Nmap

Now that Nmap is installed, let's use it to scan the target machine. Replace <target-ip> with the IP address provided in your lab:

nmap -sV -Pn <target-ip>

What does this command do?

  • nmap: The name of the program we're running
  • -sV: This option tells Nmap to try to determine what version of services are running on open ports
  • -Pn: This option tells Nmap to skip the ping check and assume the host is online
  • <target-ip>: This is where you put the IP address of the machine you're examining
Question: What Nmap flag is used to disable the ping check?
Answer: -Pn

The -Pn flag tells Nmap to assume the host is online and skip the initial ping probe. This is useful when scanning hosts that block ICMP echo requests or when you're certain the host is online.

Question: Does the target IP respond to ping?
Answer: No

In this scenario, we're using the -Pn flag because the target doesn't respond to ping. Many networks block ICMP echo requests (pings) for security reasons.

Understanding the Output

After running the command, you should see something like this:

Nmap scan report for <target-ip>
Host is up (0.0089s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.27.4

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.31 seconds

What does this tell us? The output shows that port 80 is open on the target machine. Port 80 is typically used for HTTP (web) traffic, which means there's likely a website running on this machine. The server software is nginx 1.27.4.

Question: What port is open on the Target IP?
Answer: 80

Port 80 is the standard port for HTTP web traffic. This indicates there's a web server running on the target machine.

Step 2: Exploring the Web Server

What is a Web Server? A web server is software that delivers web pages to users when they request them. When you visit a website, you're connecting to a web server.

Accessing the Website

Since we found that port 80 (HTTP) is open, we can access the website hosted on the target machine. There are two main ways to do this:

Method 1: Using a Web Browser
  1. Open any web browser (like Chrome, Firefox, Edge, or Safari)
  2. In the address bar, type http://<target-ip> (replace <target-ip> with the actual IP address)
  3. Press Enter to navigate to the website
Method 2: Using curl (Command Line)

What is curl? curl is a command-line tool for transferring data using various protocols, including HTTP.

Using curl

Open a terminal or command prompt and run:

curl http://<target-ip>

This command will display the HTML content of the website's main page.

What to Look For

When you access the website, you should see a link labeled "Access the Lab". This link will lead you directly to the flag file.

Step 3: Finding and Accessing the Flag

Accessing the Flag File

Click on the "Access the Lab" link or navigate directly to the flag file:

Using a Web Browser

Click on the "Access the Lab" link, or type in your browser's address bar:

http://<target-ip>/flag.txt
 
Using curl

In your terminal or command prompt, run:

curl http://<target-ip>/flag.txt

Capturing the Flag

The flag will be displayed in your browser or terminal. It will be in a UUID format, which looks something like this:

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Copy this flag exactly as shown - it's case-sensitive and includes all dashes.

Troubleshooting

This means the program isn't installed or isn't in your system's PATH. Follow the installation instructions above, and make sure to restart your terminal after installation.

  • Double-check the IP address you're using
  • Make sure you are not behind a proxy or a restricted network
  • Try running the nmap scan again to verify port 80 is open
  • Make sure you're using "http://" and not "https://" in the URL

  • Try looking at the page source code (right-click on the page and select "View Page Source")
  • Check if there are any hidden links or directories (in this Lab, the link is in plain sight)
  • Make sure you're typing the filename correctly: flag.txt (all lowercase)

Key Takeaways

  • Port scanning with tools like Nmap helps identify what services are running on a target system.
  • Web servers (port 80) often contain accessible files and information that can be browsed directly.
  • Sometimes sensitive information (like our flag) is directly accessible through predictable URLs.
  • Both graphical (web browser) and command-line (curl) tools can be used to access web content.

Real-World Relevance: In actual security assessments, exposed sensitive files on web servers are a common vulnerability. Organizations should ensure that confidential information isn't directly accessible through predictable URLs.