Challenge Summary
In this challenge, we are given a domain name (portauthority.dyn.mctf.io) and asked to find something open on that server.
Going to the domain name in the browser will show a webpage that says we’re at pier 443 and that there’s no flag at that pier. Some may recognize that 443 is the default port for the HTTPS protocol. This, and the references to “ports” in the challenge title and the page suggest that we need to scan the server for open ports to find the flag.
Networking Basics
At a high level, network communication on the internet is built on the TCP/IP model.
IP (Internet Protocol) handles addressing and routing. It ensures that packets are delivered from a source IP to a destination IP.
TCP (Transmission Control Protocol) operates on top of IP and provides a reliable way to exchange information.
UDP (User Datagram Protocol) is another protocol on top of IP, but it doesn’t guarantee delivery and is used for time-sensitive applications where data loss is acceptable.
When a client connects to a server, it sends packets to a specific IP address and port number. The server uses that port to determine which application should handle the connection. There are a total of 65,535 TCP and UDP ports each.
Solution
We can use a tool called nmap to scan the open ports on the server. Install the tool (it comes preinstalled on Kali) and run the following command:
nmap portauthority.dyn.mctf.ioAmong other things, this command scans the top 1000 most common TCP ports. The output will look like this:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-17 23:22 EDT
Nmap scan report for portauthority.dyn.mctf.io (18.207.177.97)
Host is up (0.0072s latency).
rDNS record for 18.207.177.97: ec2-18-207-177-97.compute-1.amazonaws.com
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 4.07 secondsWe can see 3 ports are open: 80/tcp, 443/tcp, and 8888/tcp. We can check these out in the browser by appending :port (with the port number) to the domain name:
portauthority.dyn.mctf.io:80→ redirects to https://portauthority.dyn.mctf.io/. Port 80 is the default port for HTTP, which is not a secure protocol. The website supports HTTPS and automatically redirects the user to HTTPS on port 443.portauthority.dyn.mctf.io:443→ goes straight to https://portauthority.dyn.mctf.io/. This is because HTTPS uses port 443 by default, so browsers know to send requests to that port and don’t make it visible in the URL.portauthority.dyn.mctf.io:8888→ the browser realizes that this port supports HTTPS and prepends https://portauthority.dyn.mctf.io:8888/ in the URL. This shows us the flag!
It’s not immediately obvious in the nmap output that port 8888 is also running a web server. The default nmap command simply maps port numbers to an internal dictionary, which may or may not reflect the actual service running on that port. We can add the -sV flag to enable nmap service and version detection:
~$ nmap -sV portauthority.dyn.mctf.io
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-18 10:36 EDT
Nmap scan report for portauthority.dyn.mctf.io (18.207.177.97)
Host is up (0.0078s latency).
rDNS record for 18.207.177.97: ec2-18-207-177-97.compute-1.amazonaws.com
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Caddy httpd
443/tcp open ssl/http Caddy httpd
8888/tcp open ssl/http Caddy httpd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.67 secondsThis correctly tells us that all of these ports are running http or https and even tells us the software used.
Luckily, the flag was on a common port that nmap scans by default. We could have added -p- to the nmap command to scan all ports. This would have taken a lot longer to scan but would have been more thorough.
Check out this cheatsheet (https://github.com/jasonniebauer/Nmap-Cheatsheet) or the official documentation (https://nmap.org/book/man.html) for more info.