Fawn
Tags: #ftp #protocols #reconnaissance #anonymous_access
Level: Starting Point
Date: 2025-05-23
VM IP: 10.129.48.104
Task 1
What does the 3-letter acronym FTP stand for?
File Transfer Protocol
Resources: File Transfer Protocol - SFTP - TFTP
Task 2
Which port does the FTP service listen on usually?
21
Task 3
FTP sends data in the clear, without any encryption. What acronym is used for a later protocol designed to provide similar functionality to FTP but securely, as an extension of the SSH protocol?
SFTP
Task 4
What is the command we can use to send an ICMP echo request to test our connection to the target?
ping
Resources: ICMP
Task 5
From your scans, what version is FTP running on the target?
Open up a terminal, and go ahead and scan targets.
Use nmap to scan ports on target IP
┌──(macc㉿kaliLab)-[~]
└─$ nmap -sC 10.129.48.104
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 18:25 MDT
Nmap scan report for 10.129.48.104
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.81
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
Nmap done: 1 IP address (1 host up) scanned in 4.30 seconds
- Note the
-sCflag will gibe us some additional information that is helpful for us.-s: specify scan type
- From this scan we can see port 21 is open, that is FTP
- This FTP server is particularly insecure because anonymous login has been allowed, that means just anyone can login and it looks like we are allowed to pull any files
The version number of FTP is: vsFTPd 3.0.3
Task 6
From your scans, what OS type is running on the target?
Use nmap with he -O flag to scan the OS type running on the target:
┌──(macc㉿kaliLab)-[~]
└─$ sudo nmap -O 10.129.48.104
[sudo] password for macc:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 18:30 MDT
Nmap scan report for 10.129.48.104
Host is up (0.14s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.28 seconds
-O: enable remote OS identification- Note the OS running Linux, an Unix based OS.
Confirm it using -sV flag:
┌──(macc㉿kaliLab)-[~]
└─$ nmap -sV 10.129.48.104
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 18:34 MDT
Nmap scan report for 10.129.48.104
Host is up (0.15s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds
-s: specify scan typeV: version detection
Look at the line:
Service Info: OS: Unix
- From here we know the system is running a Unix OS
Task 7
What is the command we need to run in order to display the 'ftp' client help menu?
ftp -?
Example ftp -? usage:
┌──(macc㉿kaliLab)-[~]
└─$ ftp -?
usage: ftp [-46AadefginpRtVv] [-N NETRC] [-o OUTPUT] [-P PORT] [-q QUITTIME]
[-r RETRY] [-s SRCADDR] [-T DIR,MAX[,INC]] [-x XFERSIZE]
[[USER@]HOST [PORT]]
[[USER@]HOST:[PATH][/]]
[file:///PATH]
[ftp://[USER[:PASSWORD]@]HOST[:PORT]/PATH[/][;type=TYPE]]
[http://[USER[:PASSWORD]@]HOST[:PORT]/PATH]
[https://[USER[:PASSWORD]@]HOST[:PORT]/PATH]
...
ftp -u URL FILE ...
ftp -?
-4 Only use IPv4 addresses
-6 Only use IPv6 addresses
-A Force active mode
-a Use anonymous login
-d Enable debugging
-e Disable command-line editing
-f Force cache reload for FTP or HTTP proxy transfers
-g Disable file name globbing
-i Disable interactive prompt during multiple file transfers
-N NETRC Use NETRC instead of ~/.netrc
-n Disable auto-login
-o OUTPUT Save auto-fetched files to OUTPUT
-P PORT Use port PORT
-p Force passive mode
-q QUITTIME Quit if connection stalls for QUITTIME seconds
-R Restart non-proxy auto-fetch
-r RETRY Retry failed connection attempts after RETRY seconds
-s SRCADDR Use source address SRCADDR
-t Enable packet tracing
-T DIR,MAX[,INC]
Set maximum transfer rate for direction DIR to MAX bytes/s,
with optional increment INC bytes/s
-u URL URL to upload file arguments to
-V Disable verbose and progress
-v Enable verbose and progress
-x XFERSIZE Set socket send and receive size to XFERSIZE
-? Display this help and exit
- Note
ftp -horftp -helpwill give you a condense version of this.
Task 8
What is username that is used over FTP when you want to log in without having an account?
Use nmap to scan ports on target IP
┌──(macc㉿kaliLab)-[~]
└─$ nmap -sC 10.129.48.104
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 18:25 MDT
Nmap scan report for 10.129.48.104
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.81
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
Nmap done: 1 IP address (1 host up) scanned in 4.30 seconds
Note the following line:
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
- We can see that anonymous login is enable.
- Answer: anonymous
Task 9
What is the response code we get for the FTP message 'Login successful'?
Let's go ahead and try to login with ftp
┌──(macc㉿kaliLab)-[~]
└─$ ftp 10.129.48.104
...
Now enter anonymous as Name and specify no password by hitting Enter when asked for password
Connected to 10.129.48.104.
220 (vsFTPd 3.0.3)
Name (10.129.48.104:macc): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
From this output we see that the Login successful code is 230.
Task 10
There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.
ls
Try using ls to list files on the ftp connection
ftp> ls
229 Entering Extended Passive Mode (|||16775|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
- As we would have guessed there is a flag.txt file in this directory
Task 11
What is the command used to download the file we found on the FTP server?
get
You can get a list of usable commands while on the ftp connection by typing help
ftp> help
Commands may be abbreviated. Commands are:
! delete hash mlsd pdir remopts struct
$ dir help mlst pls rename sunique
account disconnect idle mode pmlsd reset system
append edit image modtime preserve restart tenex
ascii epsv lcd more progress rhelp throttle
bell epsv4 less mput prompt rmdir trace
binary epsv6 lpage mreget proxy rstatus type
bye exit lpwd msend put runique umask
case features ls newer pwd send unset
cd fget macdef nlist quit sendport usage
cdup form mdelete nmap quote set user
chmod ftp mdir ntrans rate site verbose
close gate mget open rcvbuf size xferbuf
cr get mkdir page recv sndbuf ?
debug glob mls passive reget status
Submit the Flag
Use the get command on the found flag.txt file to download that file
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||47789|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |*************************************************************************| 32 0.52 KiB/s 00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.09 KiB/s)
Now type bye or exit to log you out of your ftp session and get back to your terminal
ftp> bye
221 Goodbye.
List your current directory files to find the recently downloaded file from ftp
┌──(macc㉿kaliLab)-[~]
└─$ ls
Desktop Documents Downloads flag.txt Music Pictures Public Shared shared.sh Templates Videos
Go ahead and cat that file to see its contents
┌──(macc㉿kaliLab)-[~]
└─$ cat flag.txt
035db21c881520061c53e0536e44f815
- There we have our flag!
flag: 035db21c881520061c53e0536e44f815