#2 Fawn - Starting Point - Hack The Box || Complete detailed Walkthrough

In my previous blog, you have learned:

  • How to set up and configure a VPN connection on the Windows Operating System?
  • We have learned about Telnet?
  • We have completed our first task i.e. Meow.

If you have not yet completed the first chapter then click here.

1-Meow: Starting Point Hack The Box (Complete)

This article provides a comprehensive walkthrough for completing the 1-Meow starting point Hack The Box (HTB) machine. It covers the step-by-step process of exploiting vulnerabilities, gaining initial access, escalating privileges, and ultimately achieving a complete compromise of the target machine.




Introduction

Hello everyone, I welcome you to Chapter 2, In this chapter, you are going to penetrate an FTP server i.e. Fawn.



What is FTP? According to Google:

File transfer protocol is a way to download, upload, and transfer files from one location to another on the internet, and between computer systems. FTP enables the transfer of files back, and forth between computers or through the cloud. Users require an internet connection in order to execute FTP transfers.

Let’s simplify it with an example:

Consider, that you are an authorized employee of a company, and you have an important document that has to be uploaded to the company’s website. Here at this place, you and the company’s server interact through the FTP protocol. Here at this place “you” is the client and the company is the server. 

Note: FTP is also known as the client-server protocol.

Client-Server Model




According to Wiki:

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client-server model architecture using separate control and data connections between the client and the server.[1] FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP). (Click here to learn more.)


One more important thing, FTP can also be used to transfer log files from one network device to another, or a log collection server. If you think the log is wasted, and also that has no value, then you are wrong. If an attacker can gain leverage over the logs, then they can extract all kinds of information from them, which can later be used to map out the network, enumerate usernames, detect active services, and more.

The basic working structure of an FTP server

Whenever a port runs an active service it means the port is reserved for the IP address of the target to receive requests and send results.

If we only had IP addresses or hostnames, then the hosts could only do 1 task at a time. This means that if you wanted to browse the web and play music from an application on your computer simultaneously, you could not, because the IP address would be used for handling either the first or the latter, but not both at the same time.



By having ports, you can have one IP address handling multiple services, as it adds another layer of distinction. In the case shown below, we can see FTP being active on port 21. However, let's add some extra services like SSH (Secure Shell Protocol) and HTTPD (Web Server) in order to explore a more typical example. With this type of configuration, a network administrator has set up a rudimentary core web server configuration, allowing them to achieve the following, all at the same time if need be:
  • Receive and send files that can be used to configure the webserver or serve logs to an external source
  • Be able to be logged in for remote management from a distant host, in case any configuration changes are needed
  • Serve web content that can be accessed remotely through another host's web browser.


According to Wiki:

FTP is considered as non-standard for FTP to be used without the encryption layer provided by protocols such as SSL/TLS (FTPS) or SSH-tunneling (SFTP). 

FTP by itself does have the ability to require credentials before allowing access to the stored files. 
If an attacker tries to intercept with a Man-in-the-Middle (MitM) attack , then the attacker can read the content as they are in plain text, which means unencrypted, or human-readable form. But it is not similar to SSH. As its content is in the form of encryption.


However, if the network administrators choose to wrap the connection with the SSL/TLS protocol or tunnel the FTP connection through SSH, (as shown here on my screen) to add a layer of encryption that only the source and destination hosts can decrypt, this would successfully foil most Man-in-the-Middle attacks.



Notice how port 21 has disappeared, as the FTP protocol gets moved under the SSH protocol on port 22 , thus being tunneled through it and secured against any interception.

However, the situation we are dealing with in this case is much simpler. We are only going to interact with the target running a simple, misconfigured FTP service.

Let us proceed and analyze what such a service running on an internal host would look like.


Enumeration 

Click spawn machine to start the instance and get your target IP:




Firstly, let us check if our VPN connection is established or not using the ping command. 


Following the output from the command, we can see that responses are being received from the target host. This means that the host is reachable through the VPN tunnel we formed. We can now start scanning the open services on the host.

Scan using Nmap

Let's move to our next step i.e., scan the IP address using Nmap. Use the following command:

┌──(mrdev㉿mrdev)-[~] 
└─$ nmap 10.129.27.139
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 22:20 IST 
Nmap scan report for 10.129.27.139
Host is up (0.25s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  FTP
Nmap done: 1 IP address (1 host up) scanned in 27.51 seconds
┌──(mrdev㉿mrdev)-[~]
└─$

Our Scan is completed, and we found the FTP service open and running on port 21 . However, what if we would like to know the actual version of the service running on this port? 

Use the following command to know the actual version of the FTP server running on the target host:

┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sV 10.129.27.139
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 22:22 IST
Nmap scan report for 10.129.27.139
Host is up (0.23s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.93 seconds
┌──(mrdev㉿mrdev)-[~]
└─$

In our case, the -sV switch stands for version detection. Using this switch will consequently make our scan take longer but will offer us more insight into the version of the service running on the previously detected port. This means that at a glance, we would be able to tell if the target is vulnerable due to running outdated software or if we need to dig deeper to find our attack vector.

We will not be looking at exploiting the server. We will take small steps toward our goals, and the next one will involve simply interacting with the service as-is to learn more about how we should approach targets. However, having the service version always helps us gain more insight into what is running on the scanned port.


Foothold

It is time, we interacted with the target. In order to access the FTP service, we will use the FTP command on our own host. It's good practice to have a quick check that your FTP is up to date and installed properly using the following command:

┌──(mrdev㉿mrdev)-[~] 
└─$   sudo apt-get install ftp
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package ftp is a virtual package provided by:
tnftp 20210827-2
ftp-ssl 0.17.34+0.2-5.2
You should explicitly select one to install.
E: Package 'ftp' has no installation candidate

If you find a similar error then run, the below commands:

┌──(mrdev㉿mrdev)-[~] 
└─$   sudo apt-get install tnftp
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
┌──(mrdev㉿mrdev)-[~] 
└─$  sudo apt-get install ftp-ssl
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

After it has been installed, you can run the below command to see what the service is capable of:

┌──(mrdev㉿mrdev)-[~] 
└─$   ftp -h
usage: ftp [-46AadefginpRtVv] [-N NETRC] [-o OUTPUT] [-P PORT] [-q QUITTIME]
             [-r RETRY] [-s SRCADDR]  [-T DIR,MAX[,INC]]  [-x XFERSIZE]
             [[USER@]HOST [PORT]] 
             [[USER@]HOST:[PATH][/]]
             [file:///PATH] [ftp://[USER[:PASSWORD]@]HOST[:PORT]/PATH[/][;type=TYPE]] 
             [http://[USER[:PASSWORD]@]HOST[:PORT]/PATH]
             [https://[USER[:PASSWORD]@]HOST[:PORT]/PATH]
         ftp -u URL FILE ...
         ftp -?
┌──(mrdev㉿mrdev)-[~]
└─$     

From the excerpt above, we can see that we can connect to the target host using the command below. This will initiate a request to authenticate on the FTP service running on the target, which will return a prompt back to our host:

┌──(mrdev㉿mrdev)-[~]
└─$ ftp 10.129.27.139
Connected to 10.129.27.139.
220 (vsFTPd 3.0.3)
Name (10.129.27.139:mrdev): 

The prompt will ask us for the username we want to log in with. Here is where the magic happens.


Learn more:

How Hackers Attempt to Login Using Brute Force Attacks

This article discusses the concept of brute force attacks, a common method used by hackers to gain unauthorized access to systems or accounts by trying different combinations of usernames and passwords. It explores how these attacks work, the tools and techniques hackers use, and measures to defend against them.


A typical misconfiguration for running FTP services allows an anonymous account to access the service like any other authenticated user. The anonymous username can be input when the prompt appears, and keep the password blank and hit enter.

┌──(mrdev㉿mrdev)-[~]
└─$ ftp 10.129.27.139
Connected to 10.129.27.139.
220 (vsFTPd 3.0.3)
Name (localhost:mrdev): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Now, we can see that we are logged in successfully. Our terminal changes in order to show us that we can now issue FTP commands.

Typing in the help command allows us to view which commands are available:

Some of the commands listed here seem familiar to us. We already know how to use ls and cd commands. Let us issue the first command and view the contents of the folder:

ftp> ls
229 Entering Extended Passive Mode (|||17484|)
150 Here comes the directory listing.
rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp>

As you can notice from the output, the operation of FTP services also issues the status of the commands you are sending to the remote host.

Now, we can proceed to download the flag.txt to our host. In order to do so, we can use the get command, followed by the name of the file we want to download:

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||27754|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |**********************************************************|    32
56.20 KiB/s    00:00 ETA 226 Transfer complete.
32 bytes received in 00:00 (0.09 KiB/s)
ftp> 

This will trigger the download of the file to the same directory you were in when you issued the FTP command. If we exit the FTP service, we will see the same file on our host now:

ftp> bye        # To close the interaction
221 Goodbye.
┌──(mrdev㉿mrdev)-[~]
└─$ ls
Desktop  Documents  Downloads  flag.txt   Music  Pictures  Public  Templatesthinclient_drives  Videos
┌──(mrdev㉿mrdev)-[~]
└─$ cat flag.txt
03**********************************5

We can now take the flag and submit it on the platform in order to own the box!


Task Solution/Answer


TASK 1: What does the 3-letter acronym FTP stand for?

Ans. File Transfer Protocol

TASK 2: What communication model does FTP use, architecturally speaking?

Ans. Client-Server Model

TASK 3: What is the name of one popular GUI FTP program?

Ans. FileZilla

TASK 4: Which port is the FTP service active on usually?

Ans. 21 TCP

TASK 5: What acronym is used for the secure version of FTP?

Ans. SFTP

TASK 6: What is the command we can use to test our connection to the target?

Ans. ping

TASK 7: From your scans, what version is FTP running on the target?

Ans. vsftpd 3.0.3

TASK 8: From your scans, what OS type is running on the target?

Ans. UNIX

Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!