Hackthebox Fawn解题过程详解
目标靶机:Fawn
题目难度:very easy
依然使用Kali Linux作为Pentest的操作系统,在Kali Linux首先通过openvpn以及此前下载的VPN配置文件建立VPN连接:
# openvpn starting_point_XXXXX.ovpn
然后回到Hackthebox网站,并启动Fawn目标机,Hackthebox网站会显示其目标地址,如下图绿色字体部分所示:
接下来需要回答一些基础题目:(答案可见图片里)
Task 1: What does the 3-letter acronym FTP stand for?
答案: File Transfer Protocol
Task 2: What communication model does FTP use, architecturally speaking?
答案:Client-Server model
Task 3: What is the name of one popular GUI FTP program?
答案:FileZilla
Task 4: Which port is the FTP service active on usually?
答案:21 TCP
Task 5: What acronym is used for the secure version of FTP?
答案:SFTP
Task 6: What is the command we can use to test our connection to the target?
答案: ping
Task 7: From your scans, what version is FTP running on the target?
思路:此题nmap神器了: :
#nmap -sV 10.129.137.66
答案:vsftpd 3.0.3
Task 8: From your scans, what OS type is running on the target?
答案:UNIX
最后一道题,需要拿flag,这里我走了一些弯路,虽然从上面的nmap扫描可以得到vsftpd的版本3.0.3,但是似乎对应这个版本的漏洞不多,只有一个拒绝服务的漏洞。
事实上用加强的nmap去扫描会有另外的惊喜
# nmap -A 10.129.137.66 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 08:08 EDT Nmap scan report for 10.129.98.73 Host is up (0.18s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.14.115 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=3/30%OT=21%CT=1%CU=39197%PV=Y%DS=2%DC=T%G=Y%TM=6244486 OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ OS:(SP=108%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O OS:3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=FE88%W2= OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Unix
从这个扫描结果可以看出,这个ftp服务器配置有问题,允许匿名访问,接下就简单了 ftp登录到该服务器,flag就在登录所在的目录中。
#ftp 10.129.98.73 Connected to 10.129.98.73. 220 (vsFTPd 3.0.3) Name (10.129.98.73:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt 226 Directory send OK.
