Ftp

Box info | OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-135-generic) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: FTP enumeration, SSH login, local port discovery, PostgreSQL, SSH tunneling Pwned: 2026-04-28 TL;DR Funnel is a Tier 1 box that teaches SSH pivoting through an FTP credential leak. A port scan finds only FTP (21) and SSH (22). Anonymous FTP access reveals a company welcome letter and a password policy PDF. The default password funnel123#!# combined with one of the listed usernames grants SSH access as christine. Inside the system, PostgreSQL is running on 127.0.0.1:5432 (inside a Docker container). It’s not reachable from outside. An SSH local port forward tunnels the database port to the attacker machine. Connecting to PostgreSQL as christine with the default password reveals a secrets database containing the flag. A multi-step chain: FTP → credentials → SSH → port forward → PostgreSQL → flag. ...

Box info | OS: Ubuntu (vsftpd 3.0.3 / Apache 2.4.41) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: FTP enumeration, web directory discovery, credential stuffing, HTTP form brute-force Pwned: 2026-04-28 TL;DR Crocodile is a Tier 1 box that chains two services together: FTP and HTTP. A port scan finds both 21 and 80. Anonymous FTP login downloads two files — allowed.userlist and allowed.userlist.passwd — containing four usernames and four matching passwords in plaintext. The web server at port 80 runs an Apache 2.4.41 site with a login.php page. Trying all 16 username/password combinations against the login form reveals that admin:rKXM59ESxesUFHAd works. The dashboard at /dashboard displays the flag. This is credential stuffing applied to a small credential set — exactly the workflow used against real credential leaks. ...

Box info | OS: Linux (vsftpd 3.0.3) | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: FTP protocol basics, anonymous login, file transfer Pwned: 2026-04-27 TL;DR Fawn is an HTB Starting Point Tier 0 box built around a single misconfiguration: vsftpd 3.0.3 running with anonymous access enabled. Port scan reveals only FTP on 21/tcp. Anonymous login succeeds immediately, a directory listing reveals flag.txt, and a single curl or ftp command retrieves the flag. No shell access is possible — the server is correctly chrooted and read-only — but the flag is right there in the open. The lesson: anonymous FTP is exactly as dangerous as it sounds when sensitive files land in the shared directory. ...