Scanners

Challenge:

Luciafer started the hack of the Lytton Labs victim by performing a port scan.

Which TCP ports are open on the victim's machine? Enter the flag as the open ports, separated by commas, no spaces, in numerical order. Disregard port numbers >= 16384.

Example: flag{80,110,111,143,443,2049}

Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.

Solution:

During the Monstrum ex Machina challenge we identified the Luciafer's machine as 192.168.100.106 and the victim's as 192.168.100.103. Using the same Zeek logs generated during that challenge we searched the conn.log for RSTO connection state events (connection established, originator aborted) to the victim's machine.

$ cat conn.log | zeek-cut proto id.orig_h id.resp_h id.resp_p conn_state | grep -F "192.168.100.103" | grep RSTO | sort -u

tcp	192.168.100.106	192.168.100.103	135	RSTO
tcp	192.168.100.106	192.168.100.103	139	RSTO
tcp	192.168.100.106	192.168.100.103	21	RSTO
tcp	192.168.100.106	192.168.100.103	3389	RSTO
tcp	192.168.100.106	192.168.100.103	445	RSTO

The accepted flag was, flag{21,135,139,445,3389}