Setup
First, we need to connect to the HTB network. There are two different methods to do the same:
- Using Pwnbox
- Using OpenVPN
Introduction
This machine helps us to familiarize ourselves with the File Transfer Protocol (FTP).
The File Transfer Protocol (FTP) is a standard communication protocol used to transfer
computer files from a server to a client on a computer network.
You can read more about FTP on this Wikipedia article
Scanning and enumeration
After our connection to the HTB network is successfully established, we can spawn the target machine from the Starting Point lab’s page by clicking on “SPAWN MACHINE” as show above. After spawning the machine, we can check if our packets reach their destination by using the ping command.
Grab the IP address of your current target and paste it into your terminal after typing in the ping command. After 4-5 successful replies from the target, we can confirm that our connection is formed and stable. By pressing the Ctrl + C
combination on our keyboard, we will cancel the ping command and we will get back the control of the terminal tab.
Now let’s start scanning the target using nmap. nmap will send requests to the target’s ports in hopes of receiving a reply, thus determining if the said port is open or not.
We can use the following nmap command: sudo nmap -sV {target_ip}
{target_ip} has to be replaced with the IP address of the Fawn machine.
The -sV
switch is used to display the version of the services running on the open ports.
After the completion of the scan, we can see that port 21/tcp is open and is running the FTP service.
Foothold
Now it’s time to interact with the target
If FTP is not installed in our system, you can install it using the command sudo apt install ftp -y
The -y
switch is used to automatically assume “yes” as answer to all the prompts that might occur during the installation process.
We can use the following command to connect to the target host: ftp {target_ip}
The prompt will ask us for the username we want to log in with.
If the FTP service is poorly configured, it will allow an anonymous
account to access the service like
any other authenticated user. On inputting the anonymous
username and a random password, we can see that we have successfully logged into ftp. Our terminal changes in order to show us that we can now issue FTP commands.
We can now use the help
command to see view which commands are available to us
Let’s use the ls
command and see the files available in the current directory
In order to download the flag.txt
file to our system, we can use the get
command followed by the filename. If unable to download the file using get
, go back and connect to FTP using sudo
. The file gets downloaded to the directory you were in when you issued the ftp {target_ip}
command.
Now we can exit the FTP service using exit
command and come back to our host machine.
By using the ls
command, we can see that there is a file called flag.txt
in our current directory and using cat
command we can see the contents of the file.
Copy the flag and paste it into the Starting Point lab’s page to complete your task.
Congrats, you have just pwned Fawn! 👏
—
Task answers
Task 1: What does the 3-letter acronym FTP stand for?
File Transfer Protocol
Task 2: Which port does the FTP service listen on usually?
21
Task 3: What acronym is used for the secure version of FTP?
SFTP
Task 4: What is the command we can use to send an ICMP echo request to test our connection to the target?
ping
Task 5: From your scans, what version is FTP running on the target?
vsftpd 3.0.3
Task 6: From your scans, what OS type is running on the target?
Unix
Task 7: What is the command we need to run in order to display the ‘ftp’ client help menu?
ftp -h
Task 8: What is username that is used over FTP when you want to log in without having an account?
anonymous
Task 9: What is the response code we get for the FTP message ‘Login successful’?
230
Task 10: There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.
ls
Task 11: What is the command used to download the file we found on the FTP server?
get
🚩Root flag:
035db21c881520061c53e0536e44f815