Fawn by HackTheBox is a really nice second Challenge in Tier 0 of the challenges. In today’s writeup we are going to see how we can solve this challenge in a comprehensive way.
If you want video solution the visit the following video for English Version
And in Hindi Version(हिंदी में)
Now let’s continue our Writeup
Fire up your terminal and scan the ip address assigned to you
wesecure1337@kali:~$ nmap -sV {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 10:16 IST
Nmap scan report for {target_ip}
Host is up (0.29s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.16 seconds
As you can clearly see that ftpis open on port 21
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: UnixAs we know file transfer protocol in short is known as ftp
TASK 1
What does the 3-letter acronym FTP stand for?
File Transfer ProtocolFrom our initial scan using nmap we know that ftpis running on port 21
TASK 2
Which port does the FTP service listen on usually?
21To secure ftp ,secure file transfer protocol (sftp) has been introduced.
TASK 3
What acronym is used for the secure version of FTP?
sftpIt is well know that ping is used to send ICMP echo request to host to test our connection like
wesecure1337@kali:~$ ping google.com
PING google.com (142.250.194.78) 56(84) bytes of data.
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=1 ttl=116 time=46.2 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=2 ttl=116 time=47.7 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=3 ttl=116 time=65.0 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=4 ttl=116 time=50.8 ms--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 46.156/52.408/64.988/7.450 ms
This brings us to the answer of TASK 4
TASK 4
What is the command we can use to send an ICMP echo request to test our connection to the target?
pingFrom our initial scan we know that
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: UnixSo the scan clearly shows the version of ftp used
TASK 5
From your scans, what version is FTP running on the target?
vsftpd 3.0.3Looking at the scan result we can see the OS type
TASK 6
From your scans, what OS type is running on the target?
UnixIn general, if you want to see the help menu of any tool just type the toolname -hor toolname --help like
wesecure1337@kali:~$ ftp -hThis brings us to our answer
TASK 7
What is the command we need to run in order to display the 'ftp' client help menu?
ftp -hUsing anonymous as username and password on the ftp server one can login without having an account
TASK 8
What is username that is used over FTP when you want to log in without having an account?
anonymousNow let’s login to the target system using ftp
wesecure1337@kali:~$ ftp {target_ip}
Connected to target_ip.
220 (vsFTPd 3.0.3)
Name (target_ip:wesecure1337): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>As you can see we have successfully logged into the server witout having account using anonymous as both username and password
Now to get the flag, follow the shown steps
ftp> ls
229 Entering Extended Passive Mode (|||13289|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||23875|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*****************************************************************************************************************| 32 254.06 KiB/s 00:00 ETA
226 Transfer complete.
ftp> exitwesecure1337@kali:~$ cat flag.txt
035db21c881520061c53e0536e44f815
here get is a commad used to get the files from ftp-server to our machine.
This bring to
SUBMIT FLAG
Submit root flag
035db21c881520061c53e0536e44f815Finally, we have solved this challenge.
If you really enjoyed reading this writeup and feeling excited, do chekout our other writeups on related topic.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!
