Anonymous - Walkthrough

Lab Overview

This lab introduces you to FTP anonymous authentication and demonstrates how misconfigured FTP servers can expose sensitive files.

• Platform: HackerDna
• Lab Name: Anonymous
• Difficulty: Easy
• Target: Provided IP address (referred to as <target-ip>)
• Objective: Access the FTP server using anonymous authentication and retrieve the flag

Step 1: Initial Reconnaissance

Let's start by gathering basic information about our target.

Attempting to Ping the Target

First, we'll try to ping the target IP to check its reachability:

ping <target-ip>

However, we discover that the target does not respond to ping. This is not uncommon, as many systems and networks block ICMP packets for security reasons. The lack of ping response doesn't mean the system is offline; it just means we need to try other methods to interact with it.

Port Scanning with Nmap

Since ping doesn't work, we need to use the -Pn flag with Nmap to skip the ping check:

nmap -Pn <target-ip>

The -Pn flag tells Nmap to assume the host is online and skip the initial ping probe. This is essential when scanning hosts that don't respond to ICMP echo requests.

The scan reveals two open ports:

• Port 21 - FTP (File Transfer Protocol)
• Port 2121 - Likely an alternative FTP port

Service Version Detection

To get more information about the services running on these ports, we can use Nmap's version detection:

nmap -Pn -sV -p21,2121 <target-ip>

This scan tells us that the FTP server is "vsftpd 2.0.8 or later" on port 21.

The presence of FTP services and the lab name "Anonymous" suggests that we should try to connect to the FTP server using anonymous authentication, which is a common misconfiguration in FTP servers.

Step 2: Connecting to the FTP Server

Now that we've identified FTP services running on the target, let's attempt to connect using anonymous authentication.

What is Anonymous FTP?

Anonymous FTP is a feature that allows users to access an FTP server without having a registered account. Users typically log in with the username "anonymous" and either an empty password or their email address as the password.

This feature is often used for public file sharing, but if not properly configured, it can expose sensitive files to unauthorized users.

Connecting to FTP

We can use the standard FTP client that comes with most operating systems to connect to the server:

ftp <target-ip>

When prompted for a username, enter:

anonymous

When prompted for a password, just press Enter (empty password) or enter any email address.

If the server has anonymous access enabled, you should see a message indicating a successful login, such as:

230 Login successful.

This confirms that the server allows anonymous authentication, which is a security misconfiguration in many contexts.

Step 3: Retrieving the Flag

After successfully logging in with anonymous credentials, we can immediately see the files in the root directory of the FTP server.

Listing Files

To list the files in the current directory, use the ls command:

ls

In the file listing, we can see flag.txt directly in the root directory. This is the flag file we're looking for.

Downloading the Flag

To download the flag file, use the get command:

get flag.txt

This will download the flag.txt file to your current local directory.

Viewing the Flag

After downloading the file, you can exit the FTP session:

exit

Then, view the contents of the downloaded file to see the flag:

cat flag.txt

The flag will be in a UUID format, which you can submit to complete the challenge.

Alternative Method: Using a GUI FTP Client

If you prefer using a graphical interface, you can use an FTP client like FileZilla:

1. Open FileZilla
2. Enter the target IP in the "Host" field
3. Enter "anonymous" in the "Username" field
4. Leave the "Password" field empty or enter any email address
5. Click "Quickconnect"

Once connected, you'll see flag.txt in the remote site panel. Simply right-click on it and select "Download" to retrieve the flag file.

Key Takeaways

This lab demonstrates several important concepts in network security:

• Anonymous FTP risks: Allowing anonymous FTP access can expose sensitive files to unauthorized users. In production environments, anonymous access should be disabled unless absolutely necessary.
• Proper FTP configuration: If anonymous access is required, the FTP server should be configured to provide access only to specific, non-sensitive directories.
• Service enumeration: Identifying running services (like FTP) is a crucial first step in security assessments.
• Default credentials: Always check for default or common credentials (like "anonymous") when testing the security of a system.
• Non-standard ports: Services may run on non-standard ports (like FTP on port 2121 instead of the standard port 21), so thorough port scanning is important.

Real-World Relevance: Anonymous FTP access is a common misconfiguration found in real-world environments. Organizations sometimes enable it for convenience without considering the security implications. Security assessments regularly check for this type of misconfiguration as it can lead to unauthorized access to sensitive data.