This is the first in a series of walkthroughs for the ThunderDome multi-cloud Cyber Range from Pwned Labs. This post will guide you through capturing the first flag, "Emerge Through the Breach". In the process, I will cover various tools and techniques, illustrating that there are multiple ways to achieve an objective.
Beginners can benefit from replicating this tradecraft, and even pros might learn a new thing or two! Walkthroughs also give me the opportunity to solidify and refresh my own understanding of offensive security concepts.
data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7
🎯
Since all we have to start with is the IP address 44.208.228.94
, it makes sense to scan it and see what we find. Run nmap
, rustscan
, masscan
or your port scanner of choice. You just need to run a tool with options that give you a reliable scan.
$ nmap -v -Pn -sCV -T4 -oN nmap.out 44.208.228.94
I'm not going to go into a lot of detail as there are plenty of Nmap tutorials out there and also the official docs.
v
- verbose output in real timePn
- skip host discovery (useful if ping requests are blocked)sCV
- C
- detect common vulnerabilities, V
- detect versionsT4
- timing template - T1
is slowest and stealthiest and T5
is the most aggressive - fastest but noisiest and may overwhelm a host. Lower timings can provide more accurate resultsoN
- normal output (as opposed to XML or grep
ableA
instead of sCV
to give you OS versions (if detected) and traceroute
output as well as what sCV
providesThe Nmap output shows a few interesting things:
22
, 80
and 443
are openHTTP
is being served on port 443
, which is not a standard configuration44.208.228.94
resolves to ec2-44-208-228-94.compute-1.amazonaws.com