Post

HackTheBox - Fawn

Posted Updated
Fawn - HackTheBox
Fawn - HackTheBox
By Muhammad Khoirul Huda
2 min read

Fawn is one of the Starting Points from HackTheBox, where in CTF Fawn we will learn about FTP (File Transfer Protocol).

Introduction

  • Connect Fawn using Pwnbox or OpenVPN.
  • Spawn machine.

Reconnaissance

To check the target connection and port, we can use Ping and Nmap.

Ping

After spawn machine, we can start with ping Target IP.

1
2
3
4
5
6
7
8
9
10
11

❯ ping 10.129.137.216

PING 10.129.137.216 (10.129.137.216) 56(84) bytes of data.
64 bytes from 10.129.137.216: icmp_seq=1 ttl=63 time=343 ms
64 bytes from 10.129.137.216: icmp_seq=2 ttl=63 time=239 ms
64 bytes from 10.129.137.216: icmp_seq=3 ttl=63 time=666 ms
64 bytes from 10.129.137.216: icmp_seq=4 ttl=63 time=298 ms

--- 10.129.137.216 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 238.540/386.458/666.284/165.747 ms

Nmap

To be able to see all open ports, we can use Nmap, -sCV is a combination of -sC and -sV, where -sC displays the script for the port and -sV displays the version info for the port.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

❯ nmap -sCV 10.129.137.216

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-24 18:42 WIB
Nmap scan report for JSN.JaringanKU (10.129.137.216)
Host is up (1.6s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.104
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 183.91 seconds

Foothold

OK, you can see the open port 21/tcp which is the FTP service. We can generally connect to FTP by using the username anonymous and without using a password.

FTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

❯ ftp 10.129.137.216

Connected to 10.129.137.216.
220 (vsFTPd 3.0.3)
Name (10.129.137.216:huda): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 6,8e-05 seconds (460 kbytes/s)
ftp> bye
221 Goodbye.

After downloading the file, exit FTP and check your working directory.

1
2
3
4
5

ls
 flag.txt

❯ cat flag.txt
035db21c881520061c53e0536e44f815
HackTheBox, Starting Point
ftp very_easy hackthebox
This post is licensed under CC BY 4.0 by the author.