Kioptrix: Level 1.1 (#2) Writeup

Hello all.

You can download Kioptrix  from Vulnhub.

As always I started to enumerate with nmap:

Syrion:~ syrion$ nmap -sT -sV -p 1-65535
Starting Nmap 7.25BETA2 ( ) at 2017-01-07 00:18 CET
Nmap scan report for
Host is up (0.0014s latency).
Not shown: 65528 closed ports
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind  2 (RPC #100000)
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
631/tcp  open  ipp      CUPS 1.1
788/tcp  open  status   1 (RPC #100024)
3306/tcp open  mysql    MySQL (unauthorized)

Continue reading

LAMP Security CTF7 Writeup

Hello everyone. LAMP Security CTF7 was created by Mad Irish. You can find it on Vulnub or on root-me.

Ok let’s start to enumerate the services:

syrion@backbox:~$ nmap -sT -sV -p 1-65535

22/tcp    open   ssh         OpenSSH 5.3 (protocol 2.0)
80/tcp    open   http        Apache httpd 2.2.15 ((CentOS))
139/tcp   open   netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
901/tcp   open   http        Samba SWAT administration server
5900/tcp  closed vnc
8080/tcp  open   http        Apache httpd 2.2.15 ((CentOS))
10000/tcp open   http        MiniServ 1.610 (Webmin httpd)
Device type: general purpose|storage-misc|broadband router|media device|WAP

Continue reading

SkyDog 1 Writeup

Hello everyone, this is my solution for SkyDog 1. This CTF is very funny.

There are 6 flags :

  • Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
  • Flag #2 When do Androids Learn to Walk?
  • Flag #3 Who Can You Trust?
  • Flag #4 Who Doesn’t Love a Good Cocktail Party?
  • Flag #5 Another Day at the Office
  • Flag #6 Little Black Box

Each flag is in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533.

Continue reading

Mr-Robot: 1 Writeup

Hello Friend,

This is my writeup for the CTF Mr-Robot 1 .

I ran nmap:

nmap -sT -sV -Pn

  • -sT: full TCP scan (complete Three-Way Handshake)
  • -sV: version of the services
  • -Pn: skip host discovery (I had problems with ICMP echo request packets)

Starting Nmap 7.25BETA2 ( ) at 2016-10-22 18:40 CEST
Nmap scan report for (
Host is up (0.0014s latency).
Not shown: 997 filtered ports
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd

I ran another nmap with “-p 1-65535” parameters on all ports, but nothing changed.

Continue reading

LAMP security CTF5 Writeup

LAMP security CTF5 is a funny and easy CTF with a lot of vulnerabilities. You can find info about it on .

I ran nmap to see which services were open:

Syrion:~ syrion$ sudo nmap -sT -sV -O

Starting Nmap 7.25BETA2 ( ) at 2016-10-13 22:39 CEST
Nmap scan report for (
Host is up (0.078s latency).
Not shown: 990 closed ports
22/tcp   open  ssh         OpenSSH 4.7 (protocol 2.0)
25/tcp   open  smtp        Sendmail 8.14.1/8.14.1
80/tcp   open  http        Apache httpd 2.2.6 ((Fedora))
110/tcp  open  pop3        ipop3d 2006k.101
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: MYGROUP)
143/tcp  open  imap        University of Washington IMAP imapd 2006k.396 (time zone: -0400)
445/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: MYGROUP)
901/tcp  open  http        Samba SWAT administration server
3306/tcp open  mysql       MySQL 5.0.45
Device type: WAP|general purpose|media device|broadband router|PBX
Running (JUST GUESSING): Linux 2.4.X|2.6.X (95%), Sony embedded (95%), Starbridge Networks embedded (95%), Asus embedded (94%), Cisco embedded (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.4.30 cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:sony:smp-n200 cpe:/o:linux:linux_kernel:2.6 cpe:/h:starbridge_networks:1531 cpe:/h:asus:rt-ac66u cpe:/h:asus:rt-n16 cpe:/h:cisco:uc320
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), Linux 2.6.27 (95%), Linux 2.6.9 – 2.6.27 (95%), Sony SMP-N200 media player (95%), Linux 2.6.21 (95%), Starbridge Networks 1531 wireless ASDL modem (95%), Linux 2.6.18 (95%), Tomato 1.28 (Linux 2.6.22) (95%), Asus RT-AC66U router (Linux 2.6) (94%), Asus RT-N16 WAP (Linux 2.6) (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
Service Info: Hosts: localhost.localdomain,; OS: Unix
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 28.66 seconds

Continue reading

LAMP security CTF4 Writeup

Hi everyone. This is my solution for LAMP security CTF4. This CTF is very easy, you can download it from or play online on I did it on root-me, therefore my target was

Ok let’s start, i ran nmap to see which services were open (usually I run a second scan with “-p 1-65535” parameter to identify all the ports).

Syrion:~ syrion$ sudo nmap -sT -sV -O
Starting Nmap 7.25BETA2 ( ) at 2016-10-07 21:19 CEST
Nmap scan report for (
Host is up (0.040s latency).
Not shown: 727 closed ports, 270 filtered ports
22/tcp open tcpwrapped
25/tcp open tcpwrapped
80/tcp open tcpwrapped
Device type: general purpose|WAP
Running (JUST GUESSING): OpenBSD 4.X (88%), Apple embedded (87%), FreeBSD 6.X (87%)
OS CPE: cpe:/o:openbsd:openbsd:4.0 cpe:/h:apple:airport_extreme cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: OpenBSD 4.0 (88%), Apple AirPort Extreme WAP (87%), FreeBSD 6.2-RELEASE (87%), FreeBSD 6.3-RELEASE (87%), OpenBSD 4.3 (87%)
No exact OS matches for host (test conditions non-ideal).

At this point I used netcat to verify the services on the three open ports. As excepted:

  • SSH on 22
  • SENDMAIL on 25
  • HTTP on 80

Continue reading