🦌 Hack The Box Starting Point: Fawn Walkthrough

Welcome to the second walkthrough in our Hack The Box Starting Point series. If you completed Meow, you're already familiar with basic enumeration and port scanning. Now we're moving on to Fawn, which introduces you to FTP (File Transfer Protocol) and the risks of anonymous access.

Fawn builds on what you learned in Meow by teaching you how to enumerate and interact with FTP services. You'll learn about file transfer protocols, anonymous access, and how misconfigured services can expose sensitive data.

By the end of this post, you'll understand:

• What FTP is and how it works
• How to scan for FTP services
• The risks of anonymous FTP access
• How to connect to and interact with FTP servers
• How to download files from FTP servers
• The difference between FTP and secure alternatives

Let's get started.

---

🎯 The Objective

Fawn is a very easy Linux machine that teaches FTP enumeration and anonymous access. Your goal is to:

1. Connect to the HTB network and spawn the machine
2. Enumerate the target to find FTP running
3. Connect to the FTP service
4. Access files via anonymous login
5. Download and read the flag

What you'll learn:

• FTP protocol basics
• Port scanning and service version detection
• Anonymous FTP access
• FTP client commands
• File transfer operations

Difficulty: Very Easy (Tier 0)

---

🔍 Initial Setup

Connecting to HTB Network

If you haven't already, connect to the HTB network using OpenVPN (or use Pwnbox). Make sure you're connected before proceeding.

Spawning the Machine

1. Go to the Starting Point page
2. Find the Fawn machine
3. Click "Spawn Machine" — this starts the vulnerable VM
4. Wait a minute or two for it to boot up
5. Note the target IP address — you'll need this for all your commands

---

📡 Step 1: Reconnaissance

Verifying Connectivity with Ping

First, let's verify we can reach the target machine. The command we can use to send an ICMP echo request to test our connection to the target is ping.

ping -c 4 <target_ip>

Expected output:

PING <target_ip> (<target_ip>) 56(84) bytes of data.
64 bytes from <target_ip>: icmp_seq=1 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=2 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=3 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=4 ttl=63 time=XX ms

--- <target_ip> ping statistics ---
4 packets transmitted, 4 received, 0% packet loss

If you see responses, you're connected! If not, check that the machine is spawned and you're connected to the HTB network.

---

🔍 Step 2: Port Scanning

Finding Open Ports with Nmap

Now let's scan for open ports. The most common tool for finding open ports on a target is nmap.

nmap -sV <target_ip>

What this does:

• nmap — Port scanning tool
• -sV — Version detection (identifies service versions and OS)
• <target_ip> — The target machine's IP address

Expected output:

Starting Nmap 7.94 ( https://nmap.org ) at 2026-02-01 12:00 UTC
Nmap scan report for <target_ip>
Host is up (0.XXs latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
|_ftp-bounce: bounce working!

What we learned:

• Port 21/tcp is open
• The service is FTP
• From your scans, the version FTP is running on the target is vsftpd 3.0.3
• From your scans, the OS type running on the target is Unix (shown in the scan output)
• Anonymous FTP login is allowed — this is the vulnerability we'll exploit!

Understanding FTP

What does the 3-letter acronym FTP stand for? → FTP stands for File Transfer Protocol.

Which port does the FTP service listen on usually? → FTP typically listens on port 21.

What is FTP? FTP is a protocol used to transfer files between computers over a network. It's been around since the 1970s and is still used today, though it has significant security issues.

Key characteristics of FTP:

• Uses two connections: one for commands (port 21) and one for data transfer
• Supports authentication (username/password)
• Can allow anonymous access (no password required)
• Sends all data in plain text — no encryption

The Security Problem with FTP

FTP sends data in the clear, without any encryption. This means:

• Usernames and passwords are transmitted in plain text
• File contents are transmitted in plain text
• Anyone intercepting network traffic can read everything

What acronym is used for a later protocol designed to provide similar functionality to FTP but securely, as an extension of the SSH protocol? → SFTP (SSH File Transfer Protocol).

SFTP vs FTP:

• SFTP — Secure, encrypted, uses SSH (port 22)
• FTP — Insecure, unencrypted, uses port 21
• FTPS — FTP over SSL/TLS (also secure, but different from SFTP)

Modern best practice: Use SFTP or FTPS instead of plain FTP for any production systems.

---

🚨 Step 3: FTP Enumeration

Understanding vsftpd

From our scan, we can see the FTP server is running vsftpd 3.0.3.

What is vsftpd?

• vsftpd = "Very Secure FTP Daemon"
• It's a popular FTP server for Linux/Unix systems
• Despite the name, it's only "very secure" if configured properly
• Misconfigurations (like anonymous access) can make it insecure

Checking FTP Help Menu

Before connecting, let's see what commands are available. The command we need to run in order to display the 'ftp' client help menu is:

ftp -?

What this does:

• ftp — The FTP client program
• -? — Shows the help menu with available commands

Expected output:

Usage: ftp [-46pinegvd] [HOST [PORT]]
       ftp [-46pinegvd] [-H HOST] [-P PORT] [-u USER] [-p] [-E] [-R] [-m MODE]
       ftp [-46pinegvd] [-H HOST] [-P PORT] [-u USER] [-p] [-E] [-R] [-m MODE] [-A] [-s SCRIPT]
       ftp [-46pinegvd] [-H HOST] [-P PORT] [-u USER] [-p] [-E] [-R] [-m MODE] [-A] [-s SCRIPT] [-T DIR] [FILE...]

Options:
  -4  Use IPv4 addresses only
  -6  Use IPv6 addresses only
  -p  Use passive mode
  -i  Turn off interactive prompting
  -n  Don't auto-login
  -e  Disable command editing
  -g  Disable filename globbing
  -v  Verbose mode
  -d  Enable debugging
  -H HOST  Connect to HOST
  -P PORT  Connect to PORT
  -u USER  Login as USER
  -p       Prompt for password
  -E       Don't use extended passive mode
  -R       Don't use restart
  -m MODE  Set transfer mode (ascii, binary)
  -A       Use active mode
  -s SCRIPT  Run SCRIPT after connection
  -T DIR   Set local directory

This shows you the command-line options. Once connected, you can type help or ? to see available FTP commands.

---

🔓 Step 4: Exploitation

Connecting to FTP

Now let's connect to the FTP server:

ftp <target_ip>

What this does:

• ftp — Starts the FTP client
• <target_ip> — Connects to the target machine on port 21 (FTP default)

Expected output:

Connected to <target_ip>.
220 (vsFTPd 3.0.3)
Name (target_ip:user):

The server is asking for a username. This is where we'll use anonymous access.

Anonymous FTP Login

What is the username that is used over FTP when you want to log in without having an account? → anonymous

When prompted for "Name", type:

anonymous

Then press Enter. When it asks for a password, you can either:

• Press Enter (blank password)
• Type anonymous again
• Type guest
• Type your email address (some FTP servers request this)

For this machine, just press Enter (blank password).

Expected output:

Name (target_ip:user): anonymous
331 Please specify the password.
Password: 
230 Login successful.

Success! We're logged in.

What is the response code we get for the FTP message 'Login successful'? → 230

Understanding FTP Response Codes

FTP uses numeric response codes to communicate status:

• 220 — Service ready
• 230 — Login successful
• 331 — Username OK, password required
• 150 — File status OK, about to open data connection
• 226 — Closing data connection, file transfer successful
• 550 — File unavailable or permission denied

The 230 code confirms we successfully authenticated and have access.

---

📂 Step 5: Listing Files

Viewing Available Files

Now that we're logged in, let's see what files are available. There are a couple of commands we can use to list the files and directories available on the FTP server.

One is dir. What is the other that is a common way to list files on a Linux system? → ls

Let's try both:

ls

Expected output:

229 Entering Extended Passive Mode (|||12345|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

Or use dir:

dir

Expected output:

229 Entering Extended Passive Mode (|||12345|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.

What we see:

• There's a file called flag.txt
• It's 32 bytes in size
• It was created on June 4, 2021
• The permissions show -rw-r--r-- (readable by everyone)

Understanding the file listing:

• -rw-r--r-- — File permissions (read/write for owner, read for group and others)
• 1 — Number of hard links
• 0 0 — Owner and group IDs
• 32 — File size in bytes
• Jun 04 2021 — Date modified
• flag.txt — Filename

---

📥 Step 6: Downloading the Flag

Using the Get Command

Now we need to download the file. What is the command used to download the file we found on the FTP server? → get

get flag.txt

What this does:

• get — Downloads a file from the FTP server to your local machine
• flag.txt — The file to download

Expected output:

local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||12345|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.00 secs (XXX.XXX KiB/s)

Success! The file has been downloaded to your local machine (in the directory where you started the FTP client).

Exiting FTP

Now let's exit the FTP session:

quit

Or you can use:

exit

Both commands will close the FTP connection and return you to your terminal.

---

🏴 Step 7: Reading the Flag

Viewing the Flag Contents

The file flag.txt should now be in your current directory. Let's read it:

cat flag.txt

Expected output:

<flag_content>

Success! You've found the flag. Copy this and submit it on the HTB platform to mark the machine as complete.

Understanding What We Did

Let's break down what we accomplished:

1. Reconnaissance — Verified connectivity with ping
2. Enumeration — Discovered FTP running on port 21 using nmap
3. Service identification — Identified vsftpd 3.0.3 on Unix
4. Exploitation — Connected via FTP and logged in anonymously
5. Post-exploitation — Listed files with ls/dir and downloaded the flag with get

This demonstrates the complete penetration testing methodology: recon → enumerate → exploit → post-exploit.

---

✅ HTB Task Answers Summary

If you're working through HTB's questions, here are the answers:

1. What does the 3-letter acronym FTP stand for? → File Transfer Protocol
2. Which port does the FTP service listen on usually? → 21
3. What acronym is used for a secure FTP alternative? → SFTP (SSH File Transfer Protocol)
4. What command tests connection with ICMP echo request? → ping
5. What version is FTP running on the target? → vsftpd 3.0.3
6. What OS type is running on the target? → Unix
7. What command displays the FTP client help menu? → ftp -?
8. What username is used for FTP login without an account? → anonymous
9. What is the response code for 'Login successful'? → 230
10. What command lists files (besides dir)? → ls
11. What command downloads a file from FTP server? → get

---

💡 Key Takeaways

What You Learned

1. FTP basics — File Transfer Protocol, port 21, how it works
2. Security risks — FTP sends data in plain text, no encryption
3. Secure alternatives — SFTP (SSH File Transfer Protocol) for secure transfers
4. Service enumeration — Using nmap -sV to identify versions and OS
5. Anonymous access — The risks of allowing anonymous FTP login
6. FTP client commands — ls, dir, get, quit
7. FTP response codes — Understanding status messages (230 = login successful)

Why This Matters in Real Penetration Testing

Anonymous FTP access is a common misconfiguration found in:

• Development and staging environments
• Legacy systems that haven't been updated
• Systems where convenience was prioritized over security
• File sharing setups that weren't properly secured

What this teaches you:

• Always check for anonymous access on FTP servers
• Look for exposed files containing sensitive data
• Understand that convenience features can be security risks
• Know how to enumerate and interact with common services

In real assessments:

• Anonymous FTP often exposes:
  • Configuration files
  • Backup files
  • Source code
  • Database dumps
  • Credentials
  • Internal documentation

---

🔒 Security Lessons

For System Administrators

Never allow anonymous FTP access in production:

• Disable anonymous access unless absolutely necessary
• If anonymous access is needed, restrict it to read-only
• Use SFTP or FTPS instead of plain FTP
• Implement strong authentication for all FTP users
• Monitor FTP access logs for suspicious activity

Secure FTP configurations:

• Disable anonymous login: anonymous_enable=NO in vsftpd.conf
• Require SSL/TLS: Use FTPS instead of FTP
• Use SFTP: Better yet, use SFTP (SSH-based) instead
• Restrict access: Use firewall rules to limit who can connect
• Regular audits: Scan your network for FTP services

For Penetration Testers

This machine demonstrates:

• The importance of thorough service enumeration
• How version detection helps identify vulnerabilities
• Why anonymous access is a critical finding
• How simple misconfigurations expose sensitive data

In real assessments:

• Always check FTP servers for anonymous access
• Look for exposed files containing credentials or sensitive data
• Document the risk: unencrypted protocol + anonymous access = high risk
• Recommend SFTP or FTPS as secure alternatives

---

🛠 Alternative Approaches

Using Nmap FTP Scripts

Nmap has built-in scripts for FTP enumeration:

nmap --script ftp-anon,ftp-bounce <target_ip>

What this does:

• --script ftp-anon — Checks for anonymous FTP access
• --script ftp-bounce — Tests for FTP bounce attack vulnerability

This can automate the discovery of anonymous access.

Using curl for FTP

You can also use curl to interact with FTP:

curl ftp://<target_ip>/flag.txt --user anonymous:

What this does:

• curl — Command-line tool for transferring data
• ftp:// — FTP protocol
• --user anonymous: — Anonymous login (blank password)

Using wget for FTP

Similarly, wget can download files from FTP:

wget ftp://anonymous@<target_ip>/flag.txt

---

🚨 Common Issues

"Connection refused" or "Connection timed out"

Problem: Can't connect to the FTP server.

Solutions:

• Make sure the machine is spawned
• Verify you're connected to HTB network
• Check that you're using the correct IP address
• Wait for the machine to fully boot

"530 Login incorrect"

Problem: Anonymous login isn't working.

Solutions:

• Try different password options (blank, "anonymous", "guest", email)
• Check if anonymous access is actually enabled
• Verify you're connecting to the right port (21)

"227 Entering Passive Mode" followed by timeout

Problem: FTP passive mode connection issues.

Solutions:

• Try active mode: passive command in FTP (toggles passive mode)
• Check firewall settings
• Use ftp -p flag to disable passive mode: ftp -p <target_ip>

File not found after download

Problem: Downloaded file isn't in expected location.

Solutions:

• Check your current directory: pwd (in terminal, not FTP)
• Files download to the directory where you started FTP
• Use lcd in FTP to change local directory before downloading

---

📚 Additional Resources

• FTP Protocol Specification (RFC 959) — Original FTP specification
• vsftpd Documentation — vsftpd configuration guide
• HTB Fawn Machine Page — Official machine page
• SFTP vs FTP vs FTPS — Understanding secure file transfer options
• Nmap FTP Scripts — Nmap FTP enumeration scripts

---

🎯 What's Next?

Now that you've completed Fawn, you're ready for the next machine in Tier 0: Dancing.

Dancing will teach you:

• SMB (Server Message Block) enumeration
• Network share access
• Windows file sharing protocols
• More advanced service interaction

But first, make sure you:

• ✅ Successfully completed Fawn
• ✅ Understand FTP basics and anonymous access risks
• ✅ Know how to use FTP client commands (ls, dir, get)
• ✅ Understand the difference between FTP and SFTP

---

📊 Completion Proof

I successfully completed Fawn on June 11, 2025. You can verify the completion here.

---

Questions about Fawn or FTP enumeration? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice