Hi,
I believe the answer is "N***s but I can’t get the version number no matter what commands I chuck through nmap. I know the OS too but this hasn’t helped me much.
Not sure if there’s something going on with the labs or I’m missing something here but I’m really struggling to get this flag.
Here’s a slight hint: sxxxxxxxd4.x.x used to share files.
Is this on the hidden host: 172.16.0.16?
Because I can’t find anything other than port 12345, that I think has something to do with Netbus?
Did you enumerate port 12345 with -A ?
I think I did try that, but the scan would have taken at least an hour or so to complete.
I also remember trying something where the scan just timed out altogether.
I’m not sure but everything felt too slow to do a practical exercise with but maybe I was doing something wrong - it’s very possible! Also the actual lab was just way more laggy than usual.
I did get the flag thanks to your hint and some research though!
Hello @MAGNETRON, I have been trying to find a solution, but it seems to be out of my understanding.
I kindly request you to guide me through this step, many thanks.
Try this one:
[redacted]
answer:
[redacted]
I did that and was getting a legitimate “?” i was crashing out
How can I see what you wrote? It says [censored]
They had posted the nmap command used to get the answer, as well as the answer itself. This was redacted, as sharing answers is not permitted 
could you give little bit more hint
Hey there - I’ll assume you’re referring to Question 5 of the Nmap Basics Challenge Exercise, since that’s the name of this thread.
To get to the answer for Question 5, you will first need to find the hidden host. As the instructions explain, the way to do this is to run a SYN stealth scan with ping scanning disabled.
Once you have the IP address for the hidden host, you will need to run a TCP connect scan on port 12345 of the host. Doing this will activate additional hidden ports. Run another scan to see these ports.
Once you have the port numbers for the hidden ports, you will need to run a service scan on each one. The port that does not return a ? in the version field will have the answer for Question 5.
Thanks a lot! I finally got it.
I have tried every thing here exactly as you said and I still did not got any other port can you please help me
Which commands are you using? As noted above, once you have the hidden host’s IP address, you need to run a TCP connect scan on that IP address, specifying port 12345. Be sure to skip host discovery again - same as when you initially discovered the hidden host.
Once you’ve done that, you can run another TCP connect scan without specifying a port, and nmap should return 4 new ports.
I’m using sudo nmap -Pn -sV -T5 {IP} -p 12345 to find the service “?”
and then sudo nmap -Pn -T5 {IP} to discover the new port
what am I doing wrong?
You shouldn’t be using -sV or -T5 here. -sV runs a service detection scan, and the instruction only asks for a TCP connect scan on port 12345. You also don’t need to be using sudo in your first command.
You can refer back to Part 1, Step 3 for information about running a simple TCP connect scan. Then be sure to skip host discovery and add the port specification.
Once you’ve done that, you should get a result showing port 12345.
Next, just run a simple TCP connect scan against the host - no need to skip host discovery or specify an individual port. At this point, you should see the 4 extra ports.
Once you have the extra ports, now you’ll want to use a service detection scan.
finally got it thank you very much