HTB-Fawn-Writeup

7 min readNov 17, 2024

Learn how to connect to FTP

Introduction

Sometimes, when we are asked to enumerate the services of specific hosts on the client network, we will be
met with file transfer services that may have high chances to be poorly configured. The purpose of this
exercise is to familiarize yourself with the File Transfer Protocol (FTP), a native protocol to all host operating
systems and used for a long time for simple file transfer tasks, be they automated or manual. FTP can be
easily misconfigured if not correctly understood. There are cases where an employee of the client company
we are assessing might want to bypass file checks or firewall rules for transferring a file from themselves to
their peers. Considering the many different mechanisms for controlling and monitoring data flow within an
enterprise network today, this scenario becomes a substantial and viable case we might meet in the wild.
At the same time, FTP can be used to transfer log files from one network device to another or a log
collection server. Suppose the network engineer in charge of handling the configuration forgets to secure
the receiving FTP server properly or does not put enough importance on the information contained within
the logs and decides to leave the FTP service unsecured intentionally. In that case, an attacker could gain
leverage of the logs and extract all kinds of information from them, which can later be used to map out the
network, enumerate usernames, detect active services, and more

The File Transfer Protocol (FTP) is a standard communication protocol used to transfer
computer files from a server to a client on a computer network. FTP is built on a client–
server model architecture using separate control and data connections between the client
and the server. FTP users may authenticate themselves with a clear-text sign-in protocol,
generally in the form of a username and password. However, they can connect anonymously if
the server is configured to allow it. For secure transmission that protects the username
and password and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or
replaced with SSH File Transfer Protocol (SFTP).

From the first lines of the excerpt above, we can see mention of the client-server model architecture. This
refers to the roles hosts in the network have during the act of transferring data between them. Users can
download and upload files from the client (their own host) to the server (a centralized data storage device)
or vice versa. Conceptually speaking, the client is always the host that downloads and uploads files to the
server, and the server always is the host that safely stores the data being transferred.

Enumeration

Firstly, let us check if our VPN connection is established. Using the ping protocol can help with this since it is
a low-overhead method of reaching the target to get a response, thus confirming our connection is
established, and the target is reachable. Low-overhead means that very little data is sent to the target by
default, allowing us to quickly check the status of the connection without having to wait for a whole scan to
complete beforehand. The ping protocol can be invoked from the terminal using the ping {target_IP}
command, where {target_IP} is the IP address of your instance of the Fawn machine, as displayed on the
Hack The Box webpage.
Note that this might not always work in a large-scale corporate environment, as firewalls usually have rules
to prevent pinging between hosts, even in the same subnet (LAN), to avoid insider threats and discover
other hosts and services.

We can cancel the ping command by pressing CTRL+C on our keyboard, Or Select The Number 0f Requests By Ping -c 5 M_IP
Following the output from the command, we can see that responses are being received from the target
host. This means that the host is reachable through the VPN tunnel we formed. We can now start scanning
the open services on the host.

In our case, the -sV switch stands for version detection. Using this switch will consequently make our scan
take longer but will offer us more insight into the version of the service running on the previously detected
port. This means that at a glance, we would be able to tell if the target is vulnerable due to running outdated
software or if we need to dig deeper to find our attack vector.
We will not be looking at exploiting the service per sé. We will take small steps towards our goals, and the
next one will involve simply interacting with the service as-is to learn more about how we should approach
targets.

However, having the service version always helps us gain more insight into what is running on the
scanned port.

we can see that we can connect to the target host using the command below.

This will initiate a request to authenticate on the FTP service running on the target, which will return a prompt
back to our host:

Hitting Enter after filling in the password anonymous or anon123, we can see that we are logged in successfully. Our terminal
changes in order to show us that we can now issue ftp commands.

Typing in the help command allows us to view which commands are available. You will be able to see this
pattern with every script and service that you have access to. Typing either the -h , — help , or help
commands will always issue a list of all the commands available to you as a user, with descriptions
occasionally included. If you would like to learn about a specific command in more depth, you can use a
different command: man {commandName} . However, for now, let us get back to our target.

Some of the commands listed here seem familiar to us.

We already know how to use ls and cd .

Let us issue the first command and view the contents of the folder.

As you can notice from the output, the operation of FTP services also issue the status for the commands
you are sending to the remote host.

The meaning of status updates are as follows:

200 : PORT command successful. Consider using PASV.
150 : Here comes the directory listing.
226 : Directory send OK.

Now, we can proceed to download the flag.txt to our host (Virtual Machine). In order to do so, we can
use the get command, followed by the name of the file we want to download.

In our case, it would look like
this: