Hack The Box — Fawn

HTB Tags: #Linux #AccountMisconfiguration #FTP.

This is the second box in their Starting Point series. Let’s follow the same level of enumeration, starting as always with ping confirming availability of the target.

ping

ping $IP -c 4

nmap

nmap -sV -sC $IP

This time, we are starting to utilise switches from nmap. In this case we are using -sV which will probe open ports determining the service/version information. Within the switch, there are four sub switches that add functionality to the initial request.

  • - -version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  • - -version-light: Limit to most likely probes (intensity 2)
  • - -version-all: Try every single probe (intensity 9)
  • - -version-trace: Show detailed version scan activity (for debugging)

The other switch we will use is -sC allowing us to run a default selection of scripts from within nmap. Having looked at the options for -sV this time to check the scripts we will use the help facility within nmap from the terminal.

nmap -h

Take some time to review the help file and understand the other available switches. Back to our nmap result.

We can see we have a specific port result of 21 showing a service of FTP. Further details as usual can be found at: https://www.speedguide.net/port.php?port=21

file transport protocol (ftp)

ftp is used to mainly upload/download files, normally web page content. This service can be secured by username:password combinations or indeed with an open service logging is as an anonymous user. From the nmap scan we can see the anonymous log in is an option.

ftp-anon: Anonymous FTP login allowed (FTP code 230)

ftp $IP

Signing in with anonymous, we have access to those files and folders set within the boundaries of the ftp command. However in order to get the most of ftp, we need to understand the additional commands that are available. Simply type in help to get the full selection.

You will have noticed that when you connected, the ftp service defaulted to binary mode to transfer files. In its own right you can download ASCII as default with binary image files and it is generally recommended that we use binary for executable files. In this mode, files are transferred in one-byte units. The other option if you are having difficulty is to change it to passive mode. This means that your target machine will work as passive accepting connections from the client rather than accepting connections directly from the server.

As mentioned previously the reason we use ftp is to upload and download files. The commands that we will focus on are:

  • get will allow downloading of files.
  • mget allows the downloading of multiple files
  • put if the service is writeable it will allow the uploading of files to the target.

foothold

Using Linux terminal commands we can navigate the accessabile areas and once the flag has been located download it to read.

Finally we get the flag.

summary

Another simple training machine highlighting the ability to upload/download files using the ftp protocol. Remember it’s only simple when you know how!

--

--

--

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Write a Website that is Faster than 99% of Others

Feeding Frenzy with SimpleFeed

The Cucumber PicoContainer

Error 1 error MSB8020: The build tools for v142 (Platform Toolset = ‘v142’) cannot be found.

My Unexpected Dive Into Open-Source Python

Hiding API Keys in A Rails App with Figaro and Heroku

Difference between UX/UI Designer & Developer

Python Friday: Challenge #1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

More from Medium

HTB: Horizontall

Write-Up: Hack The Box: Starting Point — Unified (Tier 2)

IIUC CyberCon 2022 CTF Write-ups

HTB — CAP Walkthrough