Walkthrough - Fawn - unsecurednerd.com

HackTheBox. Fawn.

Scroll to the bottom of the page for answers to the Task questions.

Do you remember when the Warez scene was in its infancy? Think back. Think way back. Before P2P went mainstream and torrents became a thing, File Transfer Protocol a.k.a. FTP was used to facilitate the majority of “illicit” file sharing activity. Depending on your place in that particular ecosystem you were labeled either a Seeder or a Leecher. Seeders had access to all of the good stuff. Meanwhile, Leechers had to make do with anonymous logins, low quality content, malware laden everything, and slow/throttled download speeds.

Things are different now. No one wants to deal with the headaches that come along with spinning up and then subsequently maintaining an FTP server so cloud-based storage services have taken its place.

Let’s port scan the target:

┌──(unsecurednerd㉿kali)-[~]
└─$ sudo nmap -v -A --stats-every 1m -p - ip_address_of_target

A breakdown of the command line switches used above is as follows:

sudo nmap will be run with root privileges. This will allow us to perform an -sS scan.

nmap is the name of the program that we are running.

-v a single level of verbosity is added.

-A asks Nmap to perform an aggressive scan which includes OS detection (-O), Version detection (-sV), Script scanning (-sC), and Traceroute (--traceroute).

--stats-every 1m provides an update every minute.

-p - scans all ports.

ip_address_of_the_target is self explanatory, replace this with the ip address of the target.

Although I often do not include it in the examples, I always direct output to both the terminal and a file when possible either by using the tee command or a built-in switch like -oN in the case of Nmap. The entire command that I used looked something like:

┌──(unsecurednerd㉿kali)-[~]
└─$ sudo nmap -v -A --stats-every 1m -p - ip_address_of_target -oN 01_nmap_scan_fawn.txt

The output from Nmap lays it all out for us:

Truncated...
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.20
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
...Truncated

Port 21 is open and this port typically correlates to FTP services. Anonymous login is allowed. We can see that there is a flag.txt file in the root directory.

If you have even the slightest bit of experience I urge you to stop reading now. Use some Google-Fu and the sentences above and work your way through it. If you feel that you need a nudge or two in the right direction by all means please continue.

The ftp command can be used to connect to the remote FTP server hosted on the target:

┌──(unsecurednerd㉿kali)-[~]
└─$ ftp ip_address_of_target

In this case, the server responds with a message confirming the connection.

It then sends a response code of 220 with the banner. This tells us that the server software and version are “vsFTPd 3.0.3”.

Connected to ip_address_of_target.
220 (vsFTPd 3.0.3)

The server prompts us for a username and since Nmap confirmed that anonymous logins are allowed we will use the username “anonymous”.

A response code of 331 asking us to enter a password is sent by the server. We will leave the password blank.

Name (ip_address_of_target:unsecurednerd): anonymous
331 Please specify the password.
Password:

The server then sends a response code of 230 telling us that our login attempt was successful.

230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

help lists the available commands:

ftp> help
Commands may be abbreviated.  Commands are:

Truncated...
!               close           fget            lpage           modtime         pdir            rcvbuf          sendport        type
...Truncated

ls -al lists the contents of the current, remote, directory:

ftp> ls -al
229 Entering Extended Passive Mode (|||25608|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        121          4096 Jun 04  2021 .
drwxr-xr-x    2 0        121          4096 Jun 04  2021 ..
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

get transfers a file from the remote FTP server hosted on the target to the present working directory of our local file system:

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||30546|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*************************************************************|    32      459.55 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (1.75 KiB/s)

exit closes the connection.

ftp> exit
221 Goodbye.

┌──(unsecurednerd㉿kali)-[~]
└─$

The contents of the file can be output to the terminal by way of the cat command:

┌──(unsecurednerd㉿kali)-[~]
└─$ cat flag.txt

Tasks

Task 1: What does the 3-letter acronym FTP stand for?

File Transfer Protocol

Task 2: Which port does the FTP service listen on usually?

21

Task 3: What acronym is used for the secure version of FTP?What service do we use to form our VPN connection into HTB labs?

sftp

Task 4: What is the command we can use to send an ICMP echo request to test our connection to the target?

ping

Task 5: From your scans, what version is FTP running on the target?

vsftpd 3.0.3

Task 6: From your scans, what OS type is running on the target?

Unix

Task 7: What is the command we need to run in order to display the 'ftp' client help menu?

ftp -h

Task 8: What is username that is used over FTP when you want to log in without having an account?

anonymous

Task 9: What is the response code we get for the FTP message 'Login successful'?

230

Task 10: There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

ls

Task 11: What is the command used to download the file we found on the FTP server?

get

DISCLAIMER Everything discussed herein is done so within the context of Boot2Roots, Crackmes, CTFs, and various other types of Cyber Security/Information Security/Programming challenges and competitions, Cyber Security/Information Security/Programming education, the Cyber Security/Information Security/Programming industry, and the Cyber Security/Information Security/Programming education industry. DO NOT "ATTACK" ANY SYSTEM(S) WITHOUT FIRST OBTAINING PROPER AUTHORIZATION. The Unsecured Nerd cannot and, most importantly, is genuinely not interested in helping you hack your personal enemies, family, friends, significant other, your government, governments that oppose your government, random remote targets that you managed to locate on the internet, and/or really anything at all. If reading something on this site causes you to wonder how it can be applied to hack any of those aforementioned things it’s best that you keep wondering. Stay safe.

This site relies very heavily on design elements provided by Barebones which is "a modern, responsive boilerplate laid bare". Download your copy from https://acahir.github.io/Barebones/.