Fawn Starting Point HackTheBox Walkthrough/Writeup

protonsec
4 min readJul 24, 2022
Fawn Starting Point HackTheBox Walkthrough
Fawn Starting Point HackTheBox Walkthrough

Fawn by HackTheBox is a really nice second Challenge in Tier 0 of the challenges. In today’s writeup we are going to see how we can solve this challenge in a comprehensive way.

Fawn Starting Point HackTheBox Walkthrough
Fawn Starting Point HackTheBox Walkthrough

If you want video solution the visit the following video for English Version

And in Hindi Version(हिंदी में)

Now let’s continue our Writeup

Fire up your terminal and scan the ip address assigned to you

wesecure1337@kali:~$ nmap -sV {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 10:16 IST
Nmap scan report for {target_ip}
Host is up (0.29s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.16 seconds

As you can clearly see that ftpis open on port 21

PORT   STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix

As we know file transfer protocol in short is known as ftp

TASK 1
What does the 3-letter acronym FTP stand for?
File Transfer Protocol

From our initial scan using nmap we know that ftpis running on port 21

TASK 2
Which port does the FTP service listen on usually?
21

To secure ftp ,secure file transfer protocol (sftp) has been introduced.

TASK 3
What acronym is used for the secure version of FTP?
sftp

It is well know that ping is used to send ICMP echo request to host to test our connection like

wesecure1337@kali:~$ ping google.com
PING google.com (142.250.194.78) 56(84) bytes of data.
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=1 ttl=116 time=46.2 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=2 ttl=116 time=47.7 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=3 ttl=116 time=65.0 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=4 ttl=116 time=50.8 ms
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 46.156/52.408/64.988/7.450 ms

This brings us to the answer of TASK 4

TASK 4
What is the command we can use to send an ICMP echo request to test our connection to the target?
ping

From our initial scan we know that

PORT   STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix

So the scan clearly shows the version of ftp used

TASK 5
From your scans, what version is FTP running on the target?
vsftpd 3.0.3

Looking at the scan result we can see the OS type

TASK 6
From your scans, what OS type is running on the target?
Unix

In general, if you want to see the help menu of any tool just type the toolname -hor toolname --help like

wesecure1337@kali:~$ ftp -h

This brings us to our answer

TASK 7
What is the command we need to run in order to display the 'ftp' client help menu?
ftp -h

Using anonymous as username and password on the ftp server one can login without having an account

TASK 8
What is username that is used over FTP when you want to log in without having an account?
anonymous

Now let’s login to the target system using ftp

wesecure1337@kali:~$ ftp {target_ip}
Connected to target_ip.
220 (vsFTPd 3.0.3)
Name (target_ip:wesecure1337): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

As you can see we have successfully logged into the server witout having account using anonymous as both username and password

Now to get the flag, follow the shown steps

ftp> ls
229 Entering Extended Passive Mode (|||13289|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||23875|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*****************************************************************************************************************| 32 254.06 KiB/s 00:00 ETA
226 Transfer complete.
ftp> exit
wesecure1337@kali:~$ cat flag.txt
035db21c881520061c53e0536e44f815

here get is a commad used to get the files from ftp-server to our machine.

This bring to

SUBMIT FLAG
Submit root flag
035db21c881520061c53e0536e44f815

Finally, we have solved this challenge.

If you really enjoyed reading this writeup and feeling excited, do chekout our other writeups on related topic.

Let’s get connected

Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec

If you want to appreciate and support my work here you go…

Thanks for Reading!!!

--

--