Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
A detailed step-by-step guide to solving the lab and capturing the flag.
This lab introduces you to FTP anonymous authentication and demonstrates how misconfigured FTP servers can expose sensitive files.
Let's start by gathering basic information about our target.
First, we'll try to ping the target IP to check its reachability:
ping <target-ip>
However, we discover that the target does not respond to ping. This is not uncommon, as many systems and networks block ICMP packets for security reasons. The lack of ping response doesn't mean the system is offline; it just means we need to try other methods to interact with it.
Since ping doesn't work, we need to use the -Pn
flag with Nmap to skip the ping check:
nmap -Pn <target-ip>
The -Pn
flag tells Nmap to assume the host is online and skip the initial ping probe. This is essential when scanning hosts that don't respond to ICMP echo requests.
The scan reveals two open ports:
To get more information about the services running on these ports, we can use Nmap's version detection:
nmap -Pn -sV -p21,2121 <target-ip>
This scan tells us that the FTP server is "vsftpd 2.0.8 or later" on port 21.
The presence of FTP services and the lab name "Anonymous" suggests that we should try to connect to the FTP server using anonymous authentication, which is a common misconfiguration in FTP servers.
Now that we've identified FTP services running on the target, let's attempt to connect using anonymous authentication.
Anonymous FTP is a feature that allows users to access an FTP server without having a registered account. Users typically log in with the username "anonymous" and either an empty password or their email address as the password.
This feature is often used for public file sharing, but if not properly configured, it can expose sensitive files to unauthorized users.
We can use the standard FTP client that comes with most operating systems to connect to the server:
ftp <target-ip>
When prompted for a username, enter:
anonymous
When prompted for a password, just press Enter (empty password) or enter any email address.
If the server has anonymous access enabled, you should see a message indicating a successful login, such as:
230 Login successful.
This confirms that the server allows anonymous authentication, which is a security misconfiguration in many contexts.
After successfully logging in with anonymous credentials, we can immediately see the files in the root directory of the FTP server.
To list the files in the current directory, use the ls
command:
ls
In the file listing, we can see flag.txt
directly in the root directory. This is the flag file we're looking for.
To download the flag file, use the get
command:
get flag.txt
This will download the flag.txt file to your current local directory.
After downloading the file, you can exit the FTP session:
exit
Then, view the contents of the downloaded file to see the flag:
cat flag.txt
The flag will be in a UUID format, which you can submit to complete the challenge.
If you prefer using a graphical interface, you can use an FTP client like FileZilla:
Once connected, you'll see flag.txt
in the remote site panel. Simply right-click on it and select "Download" to retrieve the flag file.
This lab demonstrates several important concepts in network security:
Real-World Relevance: Anonymous FTP access is a common misconfiguration found in real-world environments. Organizations sometimes enable it for convenience without considering the security implications. Security assessments regularly check for this type of misconfiguration as it can lead to unauthorized access to sensitive data.
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.