Hack The Box: Machine – Fawn

Dear friend, welcome to haXez, and thank you for stopping by. Today we’re looking at the Hack The Box Machine Fawn. It’s a super easy box that requires you to enumerate the services on the box and then utilize those services to capture the flag. There are also a number of questions that you need to answer to own the machine.

Spawn Fawn

The first thing we need to do is to spawn an instance of the machine. However, a prerequisite of spawning the machine is connecting to the VPN. I’ve covered this before in my Meow walkthrough so have a look there if you don’t know where to start. Once you have connected and spawned a machine you will be given an IP address.

Ping The Thing

In order to check that we can communicate with the machine, we can use the tool ping to see if it responds to our ICMP packets. This can be run from the terminal by typing ping followed by the IP address of the box. As you can see from the output below, I sent four ping requests to the machine and it responded successfully.

┌──(kali㉿kali)-[~]
└─$ ping 10.129.247.20 
PING 10.129.247.20 (10.129.247.20) 56(84) bytes of data.
64 bytes from 10.129.247.20: icmp_seq=1 ttl=63 time=15.2 ms
64 bytes from 10.129.247.20: icmp_seq=2 ttl=63 time=14.3 ms
64 bytes from 10.129.247.20: icmp_seq=3 ttl=63 time=14.7 ms
64 bytes from 10.129.247.20: icmp_seq=4 ttl=63 time=14.9 ms
--- 10.129.247.20 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 14.349/14.776/15.169/0.293 ms

A Lap With Nmap

Now that we know we can communicate with the Fawn machine, we need to enumerate what services the machine is running. We can do this using our favorite network mapping tool Nmap. It is good practice to throw some additional flags or arguments onto your Nmap scan in order to get as much information from the scan as possible. For this reason, we are going to tell Nmap to report back the service and operating system versions. The output below shows that the machine is running vsftpd version 3.0.3 and that the base operating system is Unix.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p0- 10.129.247.20
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 12:36 EDT
Nmap scan report for 10.129.247.20
Host is up (0.017s latency).
Not shown: 65535 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=5/8%OT=21%CT=1%CU=37672%PV=Y%DS=2%DC=I%G=Y%TM=6277F198
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.38 seconds

FTP Anonymity

FTP or File Transfer Protocol is a service that allows you to transfer files between a client and server. There are many clients out there including terminal and graphical based ones. One FTP misconfiguration that can be taken advantage of is the anonymous login feature. Anonymous login is just that, it allows you to log in anonymously. You don’t need to know the username or password of an existing user. You just have to specify your name as Anonymous and submit anything for a password. If Anonymous logins are supported then you will be granted access to the files on the FTP server. As you can see below, Anonymous logins are supported by the server and we can log in and view the files using the dir command.

┌──(kali㉿kali)-[~]
└─$ ftp 10.129.60.207                                                           
Connected to 10.129.60.207.
220 (vsFTPd 3.0.3)
Name (10.129.60.207:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||43096|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

Grab The Flag

The Fawn FTP server appears to have a text file on it called flag.txt Perhaps this is the elusive root flag that we need to capture. In order to download the flag we can use the get command. The get command allows you to download files from the server and you can see an example of me using it to download the flag below.

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||31037|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*****************************************************************    32       21.00 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.60 KiB/s)

Once the flag has been downloaded, you can use the cat command to view the contents of the file.

┌──(kali㉿kali)-[~]
└─$ cat flag.txt   
035db21c881520061c53e0536e44f815 

Fawn Questions And Answers

Before we can submit the root flag, there are a number of questions that we need to answer. I will run through these questions now.

Firstly, What does the 3-letter acronym FTP stand for? File Transfer Protocol

Fawn - What does the 3-letter acronym FTP stand for?
What does the 3-letter acronym FTP stand for?

What communication model does FTP use, architecturally speaking? Client-Server Model

What communication model does FTP use, architecturally speaking?
What communication model does FTP use, architecturally speaking?

What is the name of one popular GUI FTP program? Filezilla

Fawn - what is the name of one popular GUI FTP program?
What is the name of one popular GUI FTP program?

Which port is the FTP service active on usually? 21 TCP

Fawn - Which port is the FTP service active on usually?
Which port is the FTP service active on usually?

What acronym is used for the secure version of FTP? SFTP

Fawn - What acronym is used for the secure version of FTP?
What acronym is used for the secure version of FTP?

What is the command we can use to test our connection to the target? Ping

What is the command we can use to test our connection to the target?
What is the command we can use to test our connection to the target?

From your scans, what version is FTP running on the target? vsftpd 3.0.3

From your scans, what version is FTP running on the target?
From your scans, what version is FTP running on the target?

From your scans, what OS type is running on the target? Unix

From your scans, what OS type is running on the target?
From your scans, what OS type is running on the target?

Submit root flag

Hack The Box: Machine – Meow

Dear Friend, welcome to HaXeZ where today we’re looking at one of the Hack The Box Machines called Meow. This machine is part of the Tier 0 starting point boxes and is regarded as a very easy box. Additionaly, there are a number of questions that you need to answer in order to complete this machine. First we need to connect to the VPN. In order to do that click on the Starting Point link and download the OpenVPN files.

Download VPN
Download VPN

Connect To The Hack The Box VPN

Once you have the files downloaded, put them in your Virtual Machines shared folder. If you don’t know where that is then please see my guide on creating a virtual machine shared folder. Once the file is in your shared folder, boot your Virtual Machine and log in. Next you need to either navigate to the mount point of your shared folder or put the full file path in the following command.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/VPN]
└─$ ls
starting_point_HaXeZ.ovpn                                                                                                                                                                                    
┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/VPN]
└─$ sudo openvpn starting_point_HaXeZ.ovpn
2022-04-29 08:28:32 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
---SNIP---
2022-04-29 08:41:55 Initialization Sequence Completed

You should have now successfully complete the first challenge.

Connect To VPN
Connect To VPN

Spawn The Machine

Further down the page you should see question two with an option to spawn the box. Click on the spawn the box link and it should do just that. Additionally, once the box has been spawn you should see an IP address. Essentially, this is the address for the box that we will use to communicate with it.

Spawn Machine
Spawn Machine

You can now probably answer the next few questions too. The next one should be what does the acronym VM stand for? The answer is Virtual Machine.

Virtual Machine Acronym
VM Acronym

The next question is what tool do we use to interact with the operating system in order to start our VPN connection? That will be the terminal.

VPN Service
VPN Service

After that, it asks What is the abbreviated name for a tunnel interface in the output of your VPN boot-up sequence output? You can find this out by running ifconfig on your virtual machine. If snipped out my eth0 and loop back address and some other information but you can see that the abbreviated name is tun.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
inet 10.10.15.119  netmask 255.255.254.0  destination 10.10.15.119
tun machine Interface
tun Interface

Ping The Machine

Now that the box has been spawn and you know its address, it’s time to see whether we can talk to it. In order to do that we’re going to use the ‘ping’ command.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo ping 10.129.122.207 | tee -a ping.txt
PING 10.129.122.207 (10.129.122.207) 56(84) bytes of data.
64 bytes from 10.129.122.207: icmp_seq=1 ttl=63 time=15.6 ms

Which should now allow you to answer the next question which is what tool do we use to test our connection to the target? The answer is ping.

Ping Machine
Ping Machine

NMAP The Machine

Next we need to find out what services are available for us to talk to on the box. In order to do that we will use NMAP.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo nmap -sC -sV -p- 10.129.122.207 | tee -a nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-29 08:42 EDT
Nmap scan report for 10.129.122.207
Host is up (0.036s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Furthermore, you should now be able to answer the next question which is what is the name of the tool we use to scan the targets ports? The answer is nmap.

nmap the machine
nmap tool

Telnet To The Box

The results from the nmap scan showed us that port 23 or telnet is open on the box. There were no other services listening so we should attempt to connect to telnet to see what’s running. In order to do this we need to type the telnet command followed by the ip address and then the port. Include spaces between each entity.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo telnet 10.129.122.207 23
Trying 10.129.122.207...
Connected to 10.129.122.207.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: Administrator
Password: 
Login incorrect

After a bit of time waiting, we are greeted with an ascii hack the box logo. This should allow you to answer the next question which is what service do we identify on port 23/tcp during our scans? The answer is telnet.

Telnet
Telnet

Login To The Box

We now need to login to the box but we don’t have any credentials. However telnet is predominantly a windows service so we can try logging in with Administrator or admin but those don’t work. However, if we try logging in as root with a blank password then we are successfully authenticated.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo telnet 10.129.122.207 23
Trying 10.129.122.207...
Connected to 10.129.122.207.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: Administrator
Password: 
Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

After logging in we can see that the box is in fact Linux and running the Ubuntu operating system. We should now be able to answer the next question which is what username ultimately works with the remote management login prompt for the target. The answer is root.

root user
root user

Capture The Flag

Finally we now need to capture the flag. Fortunately they haven’t hidden it from us and we list out the directory we are currently in and see the file. Then all we need to do is cat that file and submit the flag to the web page.

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
root@Meow:~# ls
flag.txt  snap
root@Meow:~# cat flag.txt
b40abdfe23665f766f9c61ecba8a4c19
root@Meow:~#
Capture the flag

And that’s it, you should now have pwned meow and can move on to the next box. Congratulations.

Meow has been pwnd