Skip to main content

HTB | Fawn | Write-Up

· 9 min read

Summary:

This article guides users through completing the Fawn machine challenge on Hack The Box. It covers identifying & using an anonymous FTP service to access and download the "root flag".

Machine Name: Fawn | Difficulty: Easy | OS: Linux

The aim of this walkthrough is to provide help with the Fawn machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.

Setup

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host's IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $RHOST=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ echo $RHOST 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

You could use the unset command to remove it after you no longer need it.

┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $unset RHOST 
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

Task | 1

Question: What does the 3-letter acronym FTP stand for?

Simple internet search results should provide you with the answer.

file transfer protocol

Task | 2

Question: Which port does the FTP service listen on usually?

Again, use the internet.

21

Task | 3

Question: What acronym is used for the secure version of FTP?

Same as before, use the internet.

sftp

Task | 4

Question: What is the command we can use to send an ICMP echo request to test our connection to the target?

Check out your connection to the target machine:

┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ping $RHOST -c 4
PING 10.129.200.114 (10.129.200.114) 56(84) bytes of data.
64 bytes from 10.129.200.114: icmp_seq=1 ttl=63 time=10.1 ms
64 bytes from 10.129.200.114: icmp_seq=2 ttl=63 time=11.0 ms
64 bytes from 10.129.200.114: icmp_seq=3 ttl=63 time=10.2 ms
64 bytes from 10.129.200.114: icmp_seq=4 ttl=63 time=10.1 ms

--- 10.129.200.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 10.058/10.343/10.991/0.379 ms
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

ping

Task | 5

Question: From your scans, what version is FTP running on the target?

First do a quick recon and check out the top open ports on the target.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $nmap -sV -p21 $RHOST
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 09:57 BST
Nmap scan report for 10.129.200.114
Host is up (0.015s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

vsftpd 3.0.3

Task | 6

Question: From your scans, what OS type is running on the target?

To check out the OS type, use the -O option. Beware, running the OS detection scripts requires root privileges.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $nmap -O -p21 $RHOST 
TCP/IP fingerprinting (for OS scan) requires root privileges.
QUITTING!
┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $sudo nmap -O -p21 $RHOST
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 10:03 BST
Nmap scan report for 10.129.200.114
Host is up (0.012s latency).

PORT   STATE SERVICE
21/tcp open  ftp
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (99%), Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (94%), Linux 5.4 (94%), Linux 5.0 - 5.4 (94%), Linux 5.3 - 5.4 (94%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.95 seconds
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

unix

Task | 7

Question: What is the command we need to run in order to display the 'ftp' client help menu?

If stuck or lost, remember, man pages are your best friends. You could simply use man ftp to search for the help option.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ftp -h

	Usage: { ftp | pftp } [-46pinegvtd] [hostname]
	   -4: use IPv4 addresses only
	   -6: use IPv6, nothing else
	   -p: enable passive mode (default for pftp)
	   -i: turn off prompting during mget
	   -n: inhibit auto-login
	   -e: disable readline support, if present
	   -g: disable filename globbing
	   -v: verbose mode
	   -t: enable packet tracing [nonfunctional]
	   -d: enable debugging

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

ftp -h

Task | 8

Question: What is username that is used over FTP when you want to log in without having an account?

One way to find out that anonymous login is enabled is to use nmap with the -A option where you run all the nmap scripts (OS detection + version detection + script scanning + traceroute).

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $nmap -A $RHOST -p21
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 10:13 BST
Nmap scan report for 10.129.200.114
Host is up (0.013s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.17
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

So, let's try and log in. The username anonymous does not require a password, so simply press enter to continue. Once logged in, use the help command to list all the available commands.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ftp $RHOST 21
Connected to 10.129.200.114.
220 (vsFTPd 3.0.3)
Name (10.129.200.114:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> help
Commands may be abbreviated.  Commands are:

!		dir		mdelete		qc		site
$		disconnect	mdir		sendport	size
account		exit		mget		put		status
append		form		mkdir		pwd		struct
ascii		get		mls		quit		system
bell		glob		mode		quote		sunique
binary		hash		modtime		recv		tenex
bye		help		mput		reget		tick
case		idle		newer		rstatus		trace
cd		image		nmap		rhelp		type
cdup		ipany		nlist		rename		user
chmod		ipv4		ntrans		reset		umask
close		ipv6		open		restart		verbose
cr		lcd		prompt		rmdir		?
delete		ls		passive		runique
debug		macdef		proxy		send

anonymous

Task | 9

Question: What is the response code we get for the FTP message 'Login successful'?

See the terminal interaction above.

230

Task | 10

Question: There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

Once way to check that is to (again) use the help command inside the ftp connection. The use it to list all the files in the current directory.

# connected to the ftp service
ftp> help help
help      	print local help information
ftp> help dir
dir       	list contents of remote directory
ftp> help ls
ls        	list contents of remote directory 
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

ls

Task | 11

Question: What is the command used to download the file we found on the FTP server?

Again, use the help inside the ftp connection to find the desired command. Once found, download the file containing the flag.

# connected to the ftp service
ftp> help get
get       	receive file
ftp> get flag.txt
local: flag.txt remote: flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.00 secs (250.0000 kB/s)

get

Submit The Flag

Question: Submit root flag

Once we finished downloading the file, terminate the ftp connection.

ftp> exit
221 Goodbye.

Then check out downloaded file for the root flag.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ll
total 20K
-rw-r--r-- 1 htb-bluewalle htb-bluewalle   32 May  4 10:18 flag.txt
lrwxrwxrwx 1 root          root            24 May  4 08:41 htb_vpn_logs.log -> /var/log/openvpn/htb.log
-rw-r--r-- 1 root          root            43 May  4 08:41 my_credentials.txt
lrwxrwxrwx 1 root          root            27 May  4 08:41 my_data -> /home/htb-bluewalle/my_data
-rwxr-xr-x 1 htb-bluewalle htb-bluewalle 2.1K May  4 08:40 README.license
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $cat flag.txt 
<flag>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

flag

Make sure to terminate the target box before you continue with the next machine!