Solving HTB Fawn CTF: A Walkthrough Guide

What does the 3-letter acronym FTP stand for?

File Transfer Protocol

FTP is a network protocol used for file transfer. It establishes a connection between the server and the portable to copy files between computers. However, due to security issues, secure versions of FTP (FTPS, SFTP) may be preferred.

Which port does the FTP service listen on usually?

21

The FTP service usually listens on TCP port 21.

What acronym is used for the secure version of FTP?

SFTP

What is the command we can use to send an ICMP echo request to test our connection to the target?

ping

┌──(root㉿kali)-[/home/kali]
└─# ping 10.129.117.38
PING 10.129.117.38 (10.129.117.38) 56(84) bytes of data.
64 bytes from 10.129.117.38: icmp_seq=1 ttl=63 time=77.5 ms
64 bytes from 10.129.117.38: icmp_seq=4 ttl=63 time=66.5 ms
64 bytes from 10.129.117.38: icmp_seq=7 ttl=63 time=66.5 msThe command used to direct an ICMP echo request to the target to test the connection is the “ping” command.

I ping the IP given to us to check if we can get a response.

From your scans, what version is FTP running on the target?

vsftpd 3.0.3

┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -sV 10.129.117.38    
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-05 17:47 EST
Nmap scan report for 10.129.117.38
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds

For this we need to use nmap. When we use the necessary nmap parameters, we get the results. For this, you can look at the results when we google nmap cheatsheet. sS, sV will be enough for us. We check open ports with sS. We also detect the version with sV, such as which version of the service running on which port.

From your scans, what OS type is running on the target?

Unix

Service Info: OS: Unix

What is the command we need to run in order to display the ‘ftp’ client help menu?

ftp -h

This part is very important, as in every tool, we can access the help section and understand how to use it when we type “-h, — h, — help, -help”.

What is username that is used over FTP when you want to log in without having an account?

anonymous

What we can reach with a little Google

┌──(root㉿kali)-[/home/kali]
└─# ftp 10.129.117.38
Connected to 10.129.117.38.
220 (vsFTPd 3.0.3)
Name (10.129.117.38:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

What is the response code we get for the FTP message ‘Login successful’?

230

For example, he wrote 331. When I roughly searched for ftp 331 with Google, it said “331 User name okay, need password.” If 230 is “230 User logged in, proceed.” It means we are inside.

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

ls

ftp> ls
229 Entering Extended Passive Mode (|||13761|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> 

When we say “ls”, a file can be seen here. If we try to print it with “cat”, it cannot be printed. There are no necessary permissions.

What is the command used to download the file we found on the FTP server?

get

But we can pull the file, it has permission. In FTP, the “get” command is used to download the specified file from the remote FTP server to the local machine.

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||20395|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |**************************************************|    32      146.71 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.45 KiB/s)
ftp>

Submit root flag

035db21c881520061c53e0536e44f815

┌──(root㉿kali)-[/home/kali]
└─# ls
Desktop    Downloads  Fullscan  Pictures  Templates      Videos
Documents  flag.txt   Music     Public    To_agentJ.txt
                                                                                               
┌──(root㉿kali)-[/home/kali]
└─# cat flag.txt 
035db21c881520061c53e0536e44f815

When we return to our desktop, we see that the file comes with “ls”. The password appears with the “cat” command.

We successfully solved the Fawn machine, this was our second step. Having solved the HTB Fawn machine, experience was gained in information gathering, vulnerability analysis, use of exploits, escalation of privileges, organization of pentests, system administration and basic network knowledge. By following the explanations and commands given, you can successfully complete the Fawn CTF and improve your skills in this process.

Keep adopting the “try harder” mentality, keep improving yourself until our next machine.