Hack The Box — Fawn
HTB Tags: #Linux #AccountMisconfiguration #FTP.
This is the second box in their Starting Point series. Let’s follow the same level of enumeration, starting as always with ping
confirming availability of the target.
ping
ping $IP -c 4
nmap
nmap -sV -sC $IP
This time, we are starting to utilise switches from nmap. In this case we are using -sV
which will probe open ports determining the service/version information. Within the switch, there are four sub switches that add functionality to the initial request.
- - -version-intensity <level>: Set from 0 (light) to 9 (try all probes)
- - -version-light: Limit to most likely probes (intensity 2)
- - -version-all: Try every single probe (intensity 9)
- - -version-trace: Show detailed version scan activity (for debugging)
The other switch we will use is -sC
allowing us to run a default selection of scripts from within nmap. Having looked at the options for -sV
this time to check the scripts we will use the help facility within nmap from the terminal.
nmap -h
Take some time to review the help file and understand the other available switches. Back to our nmap result.
We can see we have a specific port result of 21 showing a service of FTP. Further details as usual can be found at: https://www.speedguide.net/port.php?port=21
file transport protocol (ftp)
ftp
is used to mainly upload/download files, normally web page content. This service can be secured by username:password combinations or indeed with an open service logging is as an anonymous user. From the nmap scan we can see the anonymous log in is an option.
ftp-anon: Anonymous FTP login allowed (FTP code 230)
ftp $IP
Signing in with anonymous, we have access to those files and folders set within the boundaries of the ftp command. However in order to get the most of ftp, we need to understand the additional commands that are available. Simply type in help
to get the full selection.
You will have noticed that when you connected, the ftp service defaulted to binary mode to transfer files. In its own right you can download ASCII as default with binary image files and it is generally recommended that we use binary for executable files. In this mode, files are transferred in one-byte units. The other option if you are having difficulty is to change it to passive mode. This means that your target machine will work as passive accepting connections from the client rather than accepting connections directly from the server.
As mentioned previously the reason we use ftp is to upload and download files. The commands that we will focus on are:
get
will allow downloading of files.mget
allows the downloading of multiple filesput
if the service is writeable it will allow the uploading of files to the target.
foothold
Using Linux terminal commands we can navigate the accessabile areas and once the flag has been located download it to read.
Finally we get the flag.
summary
Another simple training machine highlighting the ability to upload/download files using the ftp protocol. Remember it’s only simple when you know how!