This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

In this write-up, we cover Fawn, the second Tier 0 Starting Point machine. We connect to FTP using anonymous login and download the flag to our own machine.

Exploitation Process

Reconnaissance

Port Reconnaissance

We scan the host with Nmap to find open ports:

1
2
3
4
5
6
7
nmap --open -p- -T5 -oN Puertos 10.129.250.199
Nmap scan report for 10.129.250.199
Host is up (0.040s latency).
Not shown: 65467 closed tcp ports (conn-refused), 67 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp

At first glance, the only potential route is the FTP service running on port 21. We run Nmap’s default scripts with -sCV against port 21 to obtain more information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nmap -sCV -p 21 -oN Objetivos 10.129.250.199
Nmap scan report for 10.129.250.199
Host is up (0.035s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.46
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
Service Info: OS: Unix

Anonymous login is enabled, and the default credentials for this authentication method are anonymous:anonymous. The output shows that Nmap authenticated with those credentials and listed the server’s contents, revealing -rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt.

Accessing FTP

From the terminal, we can connect to FTP, log in with the credentials shown above and download flag.txt using get.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
ftp 10.129.250.199
Connected to 10.129.250.199.
220 (vsFTPd 3.0.3)
Name (10.129.250.199:void4m0n): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||14535|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||49236|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |******************************************************************************************************************************************************************| 32 0.37 KiB/s 00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.18 KiB/s)
ftp>

We now have the flag.

1
2
3
4
5
6
 cat flag.txt
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: flag.txt
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ 035db21c881520061c53e0536e44f815
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Answers

Question 1

What does the 3-letter acronym FTP stand for?

File Transfer Protocol

Question 2

Which port does the FTP service listen on usually?

21

Question 3

What acronym is used for the secure version of FTP?

SFTP

Question 4

What is the command we can use to send an ICMP echo request to test our connection to the target?

ping

Question 5

From your scans, what version is FTP running on the target?

vsftpd 3.0.3

Question 6

From your scans, what OS type is running on the target?

Unix

Question 7

What is the command we need to run in order to display the ‘ftp’ client help menu?

ftp -h

Question 8

What is username that is used over FTP when you want to log in without having an account?

anonymous

Flag

Submit root flag

035dxxxxxxxxxxxxxxxxxxxxxxxxxxxx