Lab Objective: Fawn is the second machine in the Starting Point Tier 0 series. The core focus is understanding that poorly configured services are vulnerable and can be exploited. In this case, we exercise our understanding of the File Transfer Protocol (FTP) — a long-standing protocol used for managing simple file tasks that can, when misconfigured, bypass firewall checks and expose network weaknesses.
Important Considerations
- GUI/Terminal — FTP servers can be navigated through the terminal or a Graphical User Interface.
- Client/Server model — the client uploads from the host machine; the server is centralised storage. The host up/downloads while the server stores transferable data.
- Port number — FTP uses port 21, reserved for the protocol. A basic web server also needs SSH (port 22) and HTTPS (port 80).
- Man-in-the-Middle — FTP can require credentials before permitting access, but network traffic can be intercepted and files read in plaintext. Always add an encryption layer such as SSL or TLS to prevent MITM attacks.
Enumeration
Task 1 — What does the 3-letter acronym FTP stand for?
Answer: File Transfer Protocol. Also known as a listening port, typically found on port 21.
Task 2 — What port does FTP use?
Answer: 21. Determined using: sudo nmap -sV [IP Address]
Task 3 — FTP sends data in the clear. What acronym describes its secure successor built on SSH?
Answer: SFTP (Secure File Transfer Protocol).
Task 4 — What command sends an ICMP echo request to test our connection to the target?
Answer: ping. ICMP is the Internet Control Message Protocol — a network layer protocol used for error messages and diagnostics. An echo request sends a packet and waits to receive the same packet back, confirming the target is reachable.
Task 5 — From your scans, what version is FTP running on the target?
Answer: vsftpd 3.0.3. Using sudo nmap -sV [IP Address] with -sV detecting service versions — useful for spotting outdated and exploitable software.
Establishing a Foothold
Task 6 — What OS Type is running on the target?
Answer: Unix.
Task 7 — What command displays the FTP client help menu?
Answer: ftp -h.
Task 8 — What username is used to log into FTP without an account?
Answer: anonymous. A misconfigured FTP service allows any anonymous account to log in as any authenticated user. When prompted for a password, the service disregards it once the anonymous username is registered. This is negligent behaviour.
Task 9 — What is the response code for a successful FTP login?
Answer: 230. The terminal confirms a successful login and lists available changes. To see the help menu, type help.
Task 10 — Besides dir, how else can you list files on a Linux system?
Answer: ls. The distinction: dir returns a full directory listing; ls returns a simplified one.
Task 11 — What command downloads a file found on the FTP server?
Answer: get. Specify the filename: get flag.txt. The file can then be read in the terminal or found in the downloads folder.
Task 12 — Submit the root flag.
Answer: Follow the steps above to retrieve the flag.
Final Thoughts
- Make sure your own FTP version is up to date — you cannot exploit others with outdated tools.
- Like in the gym, simple mistakes can have devastating consequences. A misconfigured FTP service is one of them.
- Spend time reading documentation on what commands do to build a holistic understanding of the tool or service.