In this task we had to scan local network for open ports and find a machine we could attack. First device with open ports was router on 192.168.1.0 witch had admin web server. We tried bruteforcing the password and username on the router but that didn't seem to work. Finally we decided to try and scan elsewhere as the router probably wasn't meant to be targeted.
After few runs finally this nmap command brought up some servers (excluding router) with non-22 ports open:
sudo nmap -sS -n -v 192.168.1.0/24 -p- -T5 --min-parallelism 200 --max-rtt-timeout 5 --max-retries 1 --max-scan-delay 0 --min-rate 1000
I noticed that if run without verbose flag nmap doesn't report on some ports which took a few hours from me.
The server with non-22 ports was 192.168.1.167. Some of the open ports were 22911, 8752, 13079, 26711.
Most of the returnes ASCII art, one of them also contained token EuphoricMushroomsFeedAnywhere, this token was then
requested by service on port 26711. We connected to this service using ncat:
ncat 192.168.1.167 26711
And upon being prompted for the token all that was needed was send this token as request. Response was the flag.