Fern. Offensive Notes & Declassified Writeups
TITLE Fawn
DATE 2026-02-27
OS Linux
DIFFICULTY Easy
IP ADDRESS 10.129.15.191
TAGS
htbstarting-pointlinuxftpanonymous-login

Opening

Target: Single service, FTP only.

1sudo nmap -sC -sV -oN nmap/initial 10.129.15.191

121/tcp open  ftp     vsftpd 3.0.3
2| ftp-anon: Anonymous FTP login allowed (FTP code 230)
3|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt

nmap’s ftp-anon script confirms anonymous login is permitted and surfaces flag.txt in the root directory immediately. No further enumeration needed.

Development

Connected using the FTP client with anonymous credentials:

1ftp 10.129.15.191

1Username: anonymous
2Password: anonymous
3230 Login successful.

Listed the directory and retrieved the flag:

1ls
2get flag.txt

Closed the session and read the file locally:

1cat flag.txt

Endgame

No privilege escalation required. Anonymous FTP access with a world-readable file is the entire attack surface.

Post-Game Analysis

Anonymous FTP is a legacy configuration that should never appear on an internet-facing host. vsftpd 3.0.3 supports authentication — this is a configuration failure, not a software vulnerability.

The nmap default scripts (-sC) caught this without any additional tooling. Default script scanning should always be part of initial reconnaissance.