Open in app

Sign in

Write

Sign in

Hack The Box — Fawn

James Pearson
4 min readJan 30, 2022

HTB Tags: #Linux #AccountMisconfiguration #FTP.

This is the second box in their Starting Point series. Let’s follow the same level of enumeration, starting as always with ping confirming availability of the target.

ping

ping $IP -c 4

nmap

nmap -sV -sC $IP

This time, we are starting to utilise switches from nmap. In this case we are using -sV which will probe open ports determining the service/version information. Within the switch, there are four sub switches that add functionality to the initial request.

  • - -version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  • - -version-light: Limit to most likely probes (intensity 2)
  • - -version-all: Try every single probe (intensity 9)
  • - -version-trace: Show detailed version scan activity (for debugging)

The other switch we will use is -sC allowing us to run a default selection of scripts from within nmap. Having looked at the options for -sV this time to check the scripts we will use the help facility within nmap from the terminal.

nmap -h

Take some time to review the help file and understand the other available switches. Back to our nmap result.

We can see we have a specific port result of 21 showing a service of FTP. Further details as usual can be found at: https://www.speedguide.net/port.php?port=21

file transport protocol (ftp)

ftp is used to mainly upload/download files, normally web page content. This service can be secured by username:password combinations or indeed with an open service logging is as an anonymous user. From the nmap scan we can see the anonymous log in is an option.

ftp-anon: Anonymous FTP login allowed (FTP code 230)

ftp $IP

Signing in with anonymous, we have access to those files and folders set within the boundaries of the ftp command. However in order to get the most of ftp, we need to understand the additional commands that are available. Simply type in help to get the full selection.

You will have noticed that when you connected, the ftp service defaulted to binary mode to transfer files. In its own right you can download ASCII as default with binary image files and it is generally recommended that we use binary for executable files. In this mode, files are transferred in one-byte units. The other option if you are having difficulty is to change it to passive mode. This means that your target machine will work as passive accepting connections from the client rather than accepting connections directly from the server.

As mentioned previously the reason we use ftp is to upload and download files. The commands that we will focus on are:

  • get will allow downloading of files.
  • mget allows the downloading of multiple files
  • put if the service is writeable it will allow the uploading of files to the target.

foothold

Using Linux terminal commands we can navigate the accessabile areas and once the flag has been located download it to read.

Finally we get the flag.

summary

Another simple training machine highlighting the ability to upload/download files using the ftp protocol. Remember it’s only simple when you know how!

Htb
Htb Writeup

--

--

James Pearson

Written by James Pearson

28 Followers

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams