Terminal - Grepping for Gold


Greasy Gopherguts is standing next to a Cranberry Pi terminal in front of Frost Tower:


Grnph. Blach! Phlegm.

I’m Greasy Gopherguts. I need help with parsing some Nmap output.

If you help me find some results, I’ll give you some hints about Wi-Fi.

Click on the terminal next to me and read the instructions.

Maybe search for a cheat sheet if the hints in the terminal don’t do it for ya’.

You’ll type quizme in the terminal and grep through the Nmap bigscan.gnmap file to find answers.

The challenge is to answer some questions based on some nmap output:

image-20220106095714636Click for full size image



The terminal has a single file, bigscan.gnmap:

elf@138817fa4e45:~$ ls

Looking at the file, it’s from the -oG flag in nmap:

elf@138817fa4e45:~$ head bigscan.gnmap 
# Nmap 7.80 scan initiated Fri Jul 26 11:57:12 as: nmap -oG bigscan.gnmap
Host: ()     Status: Up
Host: ()     Ports: 22/open/tcp//ssh///, 110/open/tcp//pop3///, 443/open/tcp//https///, 5900/open/tcp//vnc///, 8080/open/tcp//http-proxy///      Ignored State: filtered (995)
Host: ()     Status: Up
Host: ()     Ports: 135/open/tcp//msrpc///, 137/open/tcp//netbios-ns///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///      Ignored State: closed (995)
Host: ()     Status: Up
Host: ()     Ports: 21/open/tcp//ftp///, 80/open/tcp//http///, 5900/open/tcp//vnc///      Ignored State: closed (997)
Host: ()     Status: Up
Host: ()     Ports: 135/open/tcp//msrpc///, 137/open/tcp//netbios-ns///, 139/open/tcp//netbios-ssn///, 3389/open/tcp//ms-wbt-server///      Ignored State: closed (996)
Host: ()     Status: Up

All the steps to work through this data are here:


What port does have open?

elf@47e7abaa7848:~$ grep bigscan.gnmap 
Host: ()     Status: Up
Host: ()     Ports: 62078/open/tcp//iphone-sync///      Ignored State: closed (999)



What port does have open?

elf@47e7abaa7848:~$ grep bigscan.gnmap 
Host: ()     Status: Up
Host: ()     Ports: 8080/open/tcp//http-proxy///      Ignored State: filtered (999)



How many hosts appear “Up” in the scan?

elf@47e7abaa7848:~$ grep "Status: Up" bigscan.gnmap | wc -l



How many hosts have a web port open? (Let’s just use TCP ports 80, 443, and 8080)

elf@47e7abaa7848:~$ grep -e " 80/" -e " 443/" -e " 8080/" bigscan.gnmap  | wc -l



How many hosts with status Up have no (detected) open TCP ports?

elf@cfba3d2b699e:~$ grep "Status: Up" bigscan.gnmap | wc -l
elf@cfba3d2b699e:~$ grep "Ports" bigscan.gnmap | wc -l
elf@cfba3d2b699e:~$ echo $((26054-25652))

I’m basically counting the up hosts (same as Q3), and then counting the Ports lines, and subtracting to find the number of hosts without Ports:



What’s the greatest number of TCP ports any one host has open?

This post on superuser.com shows how to get the number of times something shows up on each line:

elf@47e7abaa7848:~$ grep "Ports" bigscan.gnmap | grep -o -n ',' | cut -d: -f 1 | uniq -c | sort -nr | head -1
     11 5886

This shows 11 commas, so 12 ports.

An alternative solution is to count the number of ignored ports:

elf@47e7abaa7848:~$ grep "Ignored" bigscan.gnmap | rev | cut -d'(' -f1 | rev | cut -d')' -f1 | sort -n | head -1

It seems this scan is doing the default of top 1000 ports, so I can subtract the smallest number from 1000 to get 12.

Thaw Frost Tower’s Entrance


Greasy is annoyed at my success, and offers some hints:

Grack. Ungh. … Oh!

You really did it?

Well, OK then. Here’s what I know about the wifi here.

Scanning for Wi-Fi networks with iwlist will be location-dependent. You may need to move around the North Pole and keep scanning to identify a Wi-Fi network.

Wireless in Linux is supported by many tools, but iwlist and iwconfig are commonly used at the command line.

The curl utility can make HTTP requests at the command line!

By default, curl makes an HTTP GET request. You can add --request POST as a command line argument to make an HTTP POST request.

When sending HTTP POST, add --data-binary followed by the data you want to send as the POST body.

He also unlocks three hints in the badge:

  • The iwlist and iwconfig utilities are key for managing Wi-Fi from the Linux command line.
  • When sending a POST request with data, add --data-binary to your curl command followed by the data you want to send.
  • cURL makes HTTP requests from a terminal - in Mac, Linux, and modern Windows!


Grimy McTrollkins is outside Frost Tower by the door, and he’s in jam:


Yo, I’m Grimy McTrollkins.

I’m a troll and I work for the big guy over there: Jack Frost.

I’d rather not be bothered talking with you, but I’m kind of in a bind and need your help.

Jack Frost is so obsessed with icy cold that he accidentally froze shut the door to Frost Tower!

I wonder if you can help me get back in.

I think we can melt the door open if we can just get access to the thermostat inside the building.

That thermostat uses Wi-Fi. And I’ll bet you picked up a Wi-Fi adapter for your badge when you got to the North Pole.

Click on your badge and go to the Items tab. There, you should see your Wi-Fi Dongle and a button to “Open Wi-Fi CLI.” That’ll give you command-line interface access to your badge’s wireless capabilities.


Connect to Wifi

I’ll go into my wifi dongle command line interface, and it reitertes the commands iwlist and iwconfig:

                         ATTENTION ALL ELVES

In Santa's workshop (wireless division), we've been busy adding new Cranberry
Pi features. We're proud to present an experimental version of the Cranberry
Pi, now with Wi-Fi support!

This beta version of the Cranberry Pi has Wi-Fi hardware and software
support using the Linux wireless-tools package. This means you can use iwlist
to search for Wi-Fi networks, and connect with iwconfig! Read the manual
pages to learn more about these commands:

man iwlist

man iwconfig

I'm afraid there aren't a lot of Wi-Fi networks in the North Pole yet, but if
you keep scanning maybe you'll find something interesting.

                                                 - Sparkle Redberry

iwlist scan will show available networks, and if I’m close to the door of Frost Tower, it will return one:

elf@3553bbae8cc9:~$ iwlist scan
wlan0     Scan completed :
          Cell 01 - Address: 02:4A:46:68:69:21
                    Frequency:5.2 GHz (Channel 40)
                    Quality=48/70  Signal level=-62 dBm  
                    Encryption key:off
                    Bit Rates:400 Mb/s

It’s important to note the interface that found the scan, wlan0.

iwconfig can connect an interface to a network:

elf@bb7bcf1fce18:~$ iwconfig wlan0 essid FROST-Nidus-Setup
** New network connection to Nidus Thermostat detected! Visit http://nidus-setup:8080/ to complete setup
(The setup is compatible with the 'curl' utility)

Increase Temperature

On connection, there’s a note about a Nidus Thermostat that’s available at http://nidus-setup:8080/. I’ll use curl to interact with it:

elf@bb7bcf1fce18:~$ curl http://nidus-setup:8080

Nidus Thermostat Setup


WARNING Your Nidus Thermostat is not currently configured! Access to this
device is restricted until you register your thermostat » /register. Once you
have completed registration, the device will be fully activated.

In the meantime, Due to North Pole Health and Safety regulations
42 N.P.H.S 2600(h)(0) - frostbite protection, you may adjust the temperature.


The API for your Nidus Thermostat is located at http://nidus-setup:8080/apidoc

It says it must be registered, but also that the temperature can be adjusted before registration.

I’ll check /register:

elf@bb7bcf1fce18:~$ curl http://nidus-setup:8080/register

Nidus Thermostat Registration


Welcome to the Nidus Thermostat registration! Simply enter your serial number
below to get started. You can find the serial number on the back of your
Nidus Thermostat as shown below:

|                                                                              |
|                                                                              |
|                              ....'''''''''''''...                            |
|                         .'''...  ...............',,,'.                       |
|                     .''.        ........''',,,;;;;,'.',,'.                   |
|                  .,'.                   ......'',;;;;;;,.',;.                |
|                ',.l.                          ....'',;:::;:xl:,              |
|              ,,.                                  ....',;:cl:,,::            |
|            .,,                      ,::::,           ....';:cc:;cx,          |
|          .'  .                     :dkkkkd;             ...';:ccdc.;.        |
|         ..                                                ...';::c;.,'       |
|        '.                                                  ...';:c:;'.;      |
|       .                                                      ...,;::;,.;     |
|      ..                          ....'.'.'.''                 ...';::;'.,    |
|      .                          .. ';'.'..,..                  ...,;::;.;.   |
|     '                                ..  .. .                   ...,::;,.c   |
|     .                                                           ...';::;';.  |
|    '                                                             ...,;:;,.;  |
|    ,                              ...........                    ...,;:;;.c  |
|    ,      ...                     .  .....  .                   .;:l:;::;.l  |
|    ;      .x.                     ....   ....                   .:ccc;:;;.l  |
|    ,      ...                     ......... .                   ...',;;;,.c  |
|    '.                             ...... . ..                    ...,;;;'.,  |
|     ;                             .  .   ....                   ...',;;,.:   |
|     ;                             ...........                  ....',;,'.;   |
|      :                                                        ....',,,'.c    |
|      .,              ----->       xx.x..x.x.x                .....',,'.:.    |
|       ''                                                    .....',,'.:.     |
|        ',                ......'';oxxxxxxdc.              ......''''.:.      |
|         .:               ....'ldlx00KKKKXXXd.l;         ......',''..:.       |
|           ;,'              ...,;coO0000KKKO:...       .......',;lc:;         |
|            .l;                ....,;;;;;,'....... .........'''.'ol.          |
|              'o;..                .......................'',''lo.            |
|                .:o.                     ..................'kdc.              |
|                  .,c;.                     .............,cc'                 |
|                      ':c:'.              ..........';cc:.                    |
|                          .;ccc:;,'.........',;:cllc,.                        |
|                               ...,;;::::::;,'..                              |
|                                                                              |
|                                                                              |
|                                                                              |
|                                                                              |

  Serial Number: ______________________

             |   Submit   |

That’s not useful. There’s presumably a button to give a serial number, but it’s just ASCII art. The message before also gave the URL of the API. I’ll try that:

elf@bb7bcf1fce18:~$ curl http://nidus-setup:8080/apidoc  

Nidus Thermostat API


The API endpoints are accessed via:


Utilize a GET request to query information; for example, you can check the
temperatures set on your cooler with:

curl -XGET http://nidus-setup:8080/api/cooler

Utilize a POST request with a JSON payload to configuration information; for
example, you can change the temperature on your cooler using:

curl -XPOST -H 'Content-Type: application/json' \
  --data-binary '{"temperature": -40}' \

● WARNING: DO NOT SET THE TEMPERATURE ABOVE 0! That might melt important furniture

Available endpoints

│ Path                        │ Available without registering? │ 
│ /api/cooler                 │ Yes                            │ 
│ /api/hot-ice-tank           │ No                             │ 
│ /api/snow-shower            │ No                             │ 
│ /api/melted-ice-maker       │ No                             │ 
│ /api/frozen-cocoa-dispenser │ No                             │ 
│ /api/toilet-seat-cooler     │ No                             │ 
│ /api/server-room-warmer     │ No                             │ 

/api/cooler is the only endpoint available without registration. If I GET that endpoint, it returns the current conditions:

elf@3553bbae8cc9:~$ curl 'http://nidus-setup:8080/api/cooler'
  "temperature": -39.17,
  "humidity": 74.65,
  "wind": 0.0,
  "windchill": -11.22

The other endpoints just return an error:

elf@3553bbae8cc9:~$ curl 'http://nidus-setup:8080/api/hot-ice-tank'
  "error": "You must register to use APIs other than /cooler"

I’ll use a POST command (I could do -X POST but the --data* flags in curl will also change it to POST unless otherwise specified) to set it:

elf@dbf72513394f:~$ curl http://nidus-setup:8080/api/cooler --data-binary '{"temperature": 40}' -H 'Content-Type: application/json'
  "temperature": 40.88,
  "humidity": 56.38,
  "wind": 10.07,
  "windchill": 45.53,

This completes the challenge. The door is open, and Grimy says:

Great - now I can get back in!