Tech Click

← all labs

Nmap Output Interpretation — OS + Vuln Services

Easy Reconnaissance · 20 min

Flag submissions require login via tc_sso. Reading instructions does not.

Nmap Output Interpretation

Scenario

You have run nmap -A -sV -p- 10.10.42.7 against an in-scope target during a VAPT engagement. The output is in the right pane.

Your job: read the output and identify:

  1. The OS family (lowercase one-word, e.g. linux, windows, freebsd)
  2. The three services running with known publicly-disclosed CVEs (alphabetical, lowercase service names — e.g. apache, openssh, vsftpd)

Answer format

<os>:<service1>,<service2>,<service3>

All lowercase. Services in alphabetical order, comma-separated, no spaces.

Example shape (NOT the correct answer):

linux:apache,openssh,vsftpd

Tips

  • The -sV flag prints exact version strings. CVE-vulnerable versions to know cold:
  • vsftpd 2.3.4 — RCE backdoor (CVE-2011-2523)
  • ProFTPD 1.3.5 — mod_copy RCE (CVE-2015-3306)
  • Samba 3.0.20 — username map script RCE (CVE-2007-2447)
  • Apache 2.2.8 — multiple disclosures incl. Range header DoS
  • OpenSSL 0.9.8 — too many to list (use anything modern)
  • MySQL 5.0.51 — auth bypass + privilege escalation
  • The OS family fingerprint is in the OS details: line near the bottom.
  • Not every service shown is vulnerable — match version strings carefully.

Hints

Hint 1 (−10 pts)

Search the output for keywords: `vsftpd`, `Samba`, `Apache`, `MySQL`, `ProFTPD`. Three of these have CVE-bearing versions in the scan.

Hint 2 (−10 pts)

vsftpd 2.3.4 = backdoor RCE. Samba 3.0.20 = username-map RCE. Apache 2.2.8 = multiple. The OS line near the bottom says "Linux 3.x".

Hint 3 (−10 pts)

Full answer: linux:apache,samba,vsftpd

Lab environment · sandboxed iframe · auto-resets every 60 min