Luciafer started the hack of the Lytton Labs victim by performing a port scan.

Which TCP ports are open on the victim's machine? Enter the flag as the open ports, separated by commas, no spaces, in numerical order. Disregard port numbers >= 16384.

Example: flag{80,110,111,143,443,2049}

Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina.


During the Monstrum ex Machina challenge we identified the Luciafer's machine as and the victim's as Using the same Zeek logs generated during that challenge we searched the conn.log for RSTO connection state events (connection established, originator aborted) to the victim's machine.

$ cat conn.log | zeek-cut proto id.orig_h id.resp_h id.resp_p conn_state | grep -F "" | grep RSTO | sort -u
tcp	135	RSTO
tcp	139	RSTO
tcp	21	RSTO
tcp	3389	RSTO
tcp	445	RSTO

The accepted flag was, flag{21,135,139,445,3389}



Leave a comment