TryHackMe: Dig Dug

Introduction

Challenge Name: Dig Dug

Difficulty: (Super) Easy Dig Dug

Nmap Scan

TCP Scan

Command :

$ sudo nmap -A -T4 --open -p- 10.10.237.159 -oN DigDug.nmap

Output :

# Nmap 7.92 scan initiated Thu Sep 15 01:04:24 2022 as: nmap -A -T4 --open -p- -oN DigDug.nmap 10.10.237.159
Nmap scan report for 10.10.237.159
Host is up (0.16s latency).
Not shown: 65275 closed tcp ports (reset), 259 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 22:7a:db:6b:1a:7f:a3:2a:d6:6d:d6:63:d5:1c:cd:8a (RSA)
|   256 c7:2d:9e:8b:7a:9d:0a:5d:0c:fe:da:b6:d2:1f:d9:84 (ECDSA)
|_  256 72:31:2e:01:2d:c3:22:66:4d:7d:ed:42:a4:65:4b:4d (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=9/15%OT=22%CT=1%CU=44116%PV=Y%DS=5%DC=T%G=Y%TM=63222D1
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=2%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
OS:1NW7%O6=M506ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 5 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   38.77 ms  10.17.0.1
2   ... 4
5   161.89 ms 10.10.237.159

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 15 01:05:45 2022 -- 1 IP address (1 host up) scanned in 80.98 seconds

The TCP Scan did not help us at all, so time to move onto UDP!

UDP Scan

Command :

$ sudo nmap -sU --open 10.10.237.159 -oN DigDugUDP.nmap

Output :

# Nmap 7.92 scan initiated Thu Sep 15 01:07:54 2022 as: nmap -sU --open -oN DigDugUDP.nmap 10.10.237.159
Nmap scan report for 10.10.237.159
Host is up (0.17s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT      STATE         SERVICE
53/udp    open          domain
68/udp    open|filtered dhcpc
49153/udp open|filtered unknown

# Nmap done at Thu Sep 15 01:25:01 2022 -- 1 IP address (1 host up) scanned in 1026.77 seconds

Interestingly, we see that UDP port 53 is open, which means we can perform a DNS lookup using the target nameserver!

Fetching The Flag

Turns out, querying a domain against the target nameserver using a look like dig will reveal the flag to us in the TXT records!

$ dig @10.10.237.159 givemetheflag.com

; <<>> DiG 9.18.6 <<>> @10.10.237.159 givemetheflag.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21501
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;givemetheflag.com.		IN	A

;; ANSWER SECTION:
givemetheflag.com.	0	IN	TXT	"flag{xxxx-xxxx-xxxx-xxxx-xxxx}"

;; Query time: 199 msec
;; SERVER: 10.10.237.159#53(10.10.237.159) (UDP)
;; WHEN: Thu Sep 15 01:38:59 IST 2022
;; MSG SIZE  rcvd: 86