Labs / Nmap Lab 102
- Very Easy
- Released 09 Mar 2025
The lab needs to be started first.
Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
Learning Lab 102 - Walkthrough
A step-by-step guide to solving the challenge and capturing the flags.
Challenge Overview
This challenge simulates a real-world scenario where you'll exploit vulnerabilities in a Linux system.
- Platform: HackerDna
- Challenge Name: Learning Lab 102
- Target IP: Provided in your challenge environment
- Objective: Capture two flags:
- User Flag: Located in
/home/user/flag-user.txt - Root Flag: Located in
/root/flag-root.txt
- User Flag: Located in
Step 1: Reconnaissance with Nmap
Why Use Nmap? Nmap helps identify open ports and services on the target machine, revealing potential entry points.
Installing Nmap (if not already installed)
- Linux: Run the following command:
sudo apt update && sudo apt install nmap -y
- Windows: Download and install from the Nmap Download Page.
- MacOS: Use Homebrew:
brew install nmap
Running Nmap
Use Nmap to scan the target IP:
nmap -sV -Pn <target-ip>
Command Explanation:
-sV: Probes open ports to determine service/version info-Pn: Treats all hosts as online, skipping host discovery
Expected Output:
PORT STATE SERVICE VERSION 23/tcp open telnet
Analysis: This output indicates that port 23 is open and running Telnet, a potential entry point.
Step 2: Connecting via Telnet
Why Try Telnet? With port 23 open, we can attempt to establish a connection. Telnet is often insecure, transmitting data in plaintext.
Connect using:
telnet <target-ip>
You may notice that no password is required to log in as "user". The prompt might look like this:
login: user Welcome to Learning Lab 102! $
Security Implication: The lack of password authentication indicates a significant security weakness.
Step 3: Locating the User Flag
In Unix-like systems, user files are typically stored in their home directory. Check the contents of /home/user/:
ls /home/user/
Look for a file named "flag-user.txt". To view its contents, use:
cat /home/user/flag-user.txt
The output will be the user flag. Make sure to note it down.
Step 4: Privilege Escalation
To access root-level files, we need to escalate our privileges. Try switching to the root user:
su root
Deduction Process: In real-world scenarios, we might try common or default passwords. Here, try using "root" as the password.
If successful, your prompt will change to:
#
Security Implication: Weak or default root passwords are a critical vulnerability in any system.
Step 5: Capturing the Root Flag
The root user's files are typically in /root/. List the directory contents:
ls /root/
Look for "flag-root.txt". View its contents with:
cat /root/flag-root.txt
The output will be the root flag. Make sure to capture this flag.
Key Takeaways
- Always start with thorough reconnaissance to identify potential vulnerabilities.
- Be aware that default or weak credentials are common security flaws.
- Understanding system file structures is crucial for efficient information gathering.
- Privilege escalation often exploits misconfigurations or weak password policies.
Real-World Implications: While this challenge uses simplified scenarios, similar vulnerabilities can exist in poorly secured systems. Always prioritize robust security practices in real environments.