Challenge overview
The challenge hints that TCP SYN style probing is useful for recon. After connecting over SSH, the goal is to scan osynt.lan on the provided network and extract the flag from the scan results. nmap performs active TCP probing (often SYN based when allowed) and then fingerprints what it finds.
You are connected using:
ssh -p 7001 ctf-05d52992a470@ssh.dyn.mctf.ioThe environment gives you a fresh network per SSH session and includes common networking tools.
Solution
The solve is simply to run nmap against osynt.lan.
1) Basic scan
Start with the default scan:
nmap osynt.lanYour output should resolve the host and show which TCP ports are open. In the provided terminal output:
Nmap scan report for osynt.lan (192.168.0.32)
Host is up
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
2) Enable aggressive fingerprinting to get the flag
The flag is not shown in the basic port list. It appears during service detection and fingerprinting, so run:
nmap -A osynt.lan
In your output, the SSH service fingerprint section includes a message containing the flag:
flag is:
MetaCTF{nm4p_is_m4pp1ng_th3_w4y_ev3ry_s1ngl3_d4y}
This is the flag.
Why this works
nmap performs active probing and then correlates observed behavior (open ports, protocol responses, and banner-like data) with known service fingerprints. The -A switch enables additional discovery features, including deeper service detection and OS/service fingerprinting, which is what triggers the banner or payload that contains the flag.
Flag
MetaCTF{nm4p_is_m4pp1ng_th3_w4y_ev3ry_s1ngl3_d4y}