IP Address

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.178

Nmap Scan

❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.178
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-10 19:13 +0545
Nmap scan report for 10.0.0.178
Host is up (0.0013s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 93a49255722b9b4a52665cafa9833cfd (RSA)
|   256 1ea7440b2c1b0d7783df1d9f0e30084d (ECDSA)
|_  256 d0fa9d7677426f91d3bdb54472a7c971 (ED25519)
19513/tcp open  tcpwrapped
44847/tcp open  tcpwrapped
56116/tcp open  tcpwrapped
62077/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I used netcat to see the content, but it didn’t connect to the ports.

❯ nc 10.0.0.178 19513
Ncat: Connection refused.
❯ nc 10.0.0.178 44847
Ncat: Connection refused.

So, I ran Nmap once again. This gave different ports.

❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.178
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-10 19:14 +0545
Nmap scan report for 10.0.0.178
Host is up (0.00096s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 93a49255722b9b4a52665cafa9833cfd (RSA)
|   256 1ea7440b2c1b0d7783df1d9f0e30084d (ECDSA)
|_  256 d0fa9d7677426f91d3bdb54472a7c971 (ED25519)
20687/tcp open  tcpwrapped
38674/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So, it meant that a service was running that opened a random ephemeral port.

Connect to a random port

We can use netcat to see the response after connecting to the port. It also allows us to connect to a range of ports. However. I use ncat which doesn’t allow this feature.

❯ nc.traditional -nv 10.0.0.178 1024-65535
(UNKNOWN) [10.0.0.178] 20768 (?) open
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 013f 0000 0085 0806 0000 002d 80ff  ...?.........-..
00000020: 0c00 0000 0173 5247 4200 aece 1ce9 0000  .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000  ..gAMA......a...
00000040: 0009 7048 5973 0000 0ec3 0000 0ec3 01c7  ..pHYs..........
00000050: 6fa8 6400 0007 de49 4441 5478 5eed dbf7  o.d....IDATx^...
00000060: 9314 4518 c671 ffff 1f2d ab2c 73c0 9cb0  ..E..q...-.,s...
00000070: 0c08 7292 0491 2092 8380 08e2 09ca c1a1  ..r... .........
00000080: 2248 7aed c799 2ea7 a67a 6f7b c3ed edf2  "Hz......zo{....
00000090: 7c3f 5553 1c7d bdd3 d361 9f09 bbf7 5400  |?US.}...a....T.
000000a0: 8021 c20f 8025 c20f 8025 c20f 8025 c20f  .!...%...%...%..
000000b0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f  .%...%...%...%..
000000c0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f  .%...%...%...%..
# Redacted

We get a hexdump that has “PNG” header meaning that the output is a hexdump of a PNG image.

We can decode the hexdump and get the photo as follows. I copied the hexdump to a file.

❯ xxd -r hexdump > photo.png

Opening the photo gives us the username and the password.