Access the room: https://tryhackme.com/room/networkservices-aoc2025-jnsoqbxgky
.png)
This lab is all about exploring network discovery and reconnaissance with Nmap. The goal is to scan a target machine, find open ports and running services, and uncover hidden directories and files. In this scenario, you’ll be investigating a suspicious host to spot potential vulnerabilities and backdoors.
Christmas preparations are delayed — HopSec has breached our QA environment and locked us out! Without it, the TBFC projects can’t be tested, and our entire SOC-mas pipeline is frozen. To make things worse, the server is slowly transforming into a twisted EAST-mas node.
Can you uncover HopSec’s trail, find a way back into tbfc-devqa01, and restore the server before the bunny’s takeover is complete? For this task, you’ll need to check every place to hide, every opened port that bunnies left unprotected. Good luck!
Learning Objectives
- Learn the basics of network service discovery with Nmap
- Learn core network protocols and concepts along the way
- Apply your knowledge to find a way back into the server
Initial Setup
Start the target machine and connect to it. Ensure you have access to the AttackBox for running reconnaissance tools.
Discovering Exposed Services
Although we lost access to the QA server, at least it’s still active, and we know its IP address. That’s good news, since now we can counterattack and hopefully find our way back. Ensure you understand basic Networking Concepts like network ports, and let’s plan the engagement!
- Know your target. In our case, it is the
tbfc-devqa01server with the10.49.133.56IP address. - Scan the IP for open ports, especially common ones like
22for SSH and80for HTTP. - Explore what’s behind the open ports, maybe it’s a vulnerable web server running on port 80.
- Exploit the exposed service, find a way in, and kick out the bad bunnies from the QA server.
Simple Network Scanning with nmap
nmap <target_ip>
The command scanned the top 1000 most common ports to check for active services. The only findings were an open SSH port for remote access and an HTTP port for a website.
Scanning Whole Range
It seems like the website is defaced by bad bunnies, and we don’t know the key to enter the admin panel! But worry not. We scanned just 1000 ports, but there are actually 65535 ports where other services can hide! Now let’s add the -p- argument to scan all ports, and --script=banner to see what's likely behind the port:
nmap -p- --script=banner <target_ip>
Its Looks like we found a running FTP server and some custom TBFC application. Even though FTP runs on port 21 by default, it’s possible to change the port to any other one, such as 21212. Let’s try accessing the FTP in anonymous mode with the ftp command and see if we can find our way in! You can follow the commands from the terminal below:
ftp <target_ip> 21212
Now we will use the following command to fetch the key from the tbfc_qa_key1:
get tbfc_qa_key1 -
KEY1: 3aster_
Port Scan Modes
There is nothing more we can see on the FTP server, so let’s move on to the custom TBFC app on port 25251. Since it is not a well-known service like HTTP or FTP, your web browser or FTP client won’t know how to access it. Luckily, we can always use Netcat (nc), a universal tool to interact with network services:
nc -v <target_ip> 25251
KEY2: 15_th3_
Once we received the key, press CTRL+C to exit the Netcat client.
TCP and UDP Ports
But where to look for the third one? Till now, we have scanned only TCP ports, but there are also 65535 ports for UDP, another transport protocol. And there is a chance HopSec secrets are hiding there, too! You can switch to UDP scan by specifying the -sU flag:
nmap -sU <target_ip>
After a minute, we spot an open port 53 linked to DNS—a protocol that powers the modern web by connecting domains to IP addresses and much more! DNS is a complex topic and many secrets can hide there, but let’s just ask the DNS server if it knows the key by using dig - a command to perform advanced DNS queries:
dig @<target_ip> TXT key3.tbfc.local +short
KEY3: n3w_xm45
Accessing the Server’s Admin Panel
Now we have all the 3 three fragments of the passphrase, we have combine these passpharases to get the access code:
3aster_15_th3_n3w_xm45
Listing Listening Ports
Once we have access to the console, there is no need to scan the ports, as we can simply ask the OS to list its open ports, also called listening ports. We can do it by running ss -tunlp (or netstat on older systems) inside the Secret Admin Console of the web app. In the output, you may see exactly the same services you scanned before listening on 0.0.0.0, but also some listening on 127.0.0.1 (available only from the host itself):
With root permissions, we can also view the process column. However, for now, let’s focus on the 3306 port, which is the default MySQL database port. Usually databases require a password for remote clients, but allow unauthenticated logins from localhost. Since we are already inside the host, let's see the database content by using the mysql program:
mysql -D tbfcqa01 -e "show tables;" 
mysql -D tbfcqa01 -e "select * from flags;"
Finally, we found our flag!!!
THM{4ll_s3rvice5_d1sc0vered}
Answers of the THM Lab
1. What evil message do you see on top of the website?
Pwned by HopSec2. What is the first key part found on the FTP server?
3aster_3. What is the second key part found in the TBFC app?
15_th3_4. What is the third key part found in the DNS records?
n3w_xm455. Which port was the MySQL database running on?
33066. Finally, what’s the flag you found in the database?
THM{4ll_s3rvice5_d1sc0vered}