Write-up

😾Meow

File Transfer Protocol Port 21

🐱 HTB Meow — Solution Notes

Platform: Hack The Box — Starting Point (Tier 0) Machine: Meow OS: Linux Difficulty: Very Easy Vulnerability Type: Misconfiguration — FTP Anonymous Login (Unauthenticated Access)

🗺️ Attack Chain

Ping → Nmap → FTP (Port 21) discovery → Anonymous Login → ls → get flag.txt → cat flag.txt

🧠 How Does a Hacker Think? — Before You Begin

Before starting any machine, the first question should be: "Is the target up and is my connection working?"

1️⃣ Reconnaissance

Verifying the Target is Alive

💡 What is ping?

bash

ping <TARGET_IP>

If you get replies, proceed.

Port Scanning

💡 nmap Parameters

bash

nmap -sV -sC -O <TARGET_IP>

Findings:

nmap with -sC may detect anonymous FTP login automatically. If you see a line like Anonymous FTP login allowed in the output → try connecting directly.

🧠 How Does a Hacker Think? — First Look at FTP

You found the FTP port. Now ask yourself these questions:

2️⃣ Exploitation — FTP Anonymous Login

💡 What is FTP (File Transfer Protocol)?

Step 1: Establish Connection

bash

ftp <TARGET_IP>

Step 2: Anonymous Login

bash

Name: anonymous Password: (leave blank, just press Enter)

If you see 230 Login successful, the anonymous login worked.

Step 3: List Files

bash

ftp> ls

Example output:

rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt

Step 4: Download the Flag

💡 Why is the get Command Necessary?

bash

ftp> get flag.txt ftp> exit

3️⃣ Reading the Flag

bash

cat flag.txt

🧠 How Does a Hacker Think? — Why Did This Vulnerability Exist?

The FTP Anonymous Login vulnerability almost always stems from one of these scenarios:

4️⃣ Remediation

bash

# The following settings should be applied in vsftpd.conf: # 1. Disable anonymous login anonymous_enable=NO # 2. Restrict local users to their home directories chroot_local_user=YES # 3. Use encrypted SFTP instead of FTP (via SSH) # OpenSSH is sufficient for SFTP — no separate installation needed

📚 Concepts Learned

ping: Verify the target is alive and VPN is working
sC (nmap): Auto-detect vulnerabilities like anonymous FTP with built-in scripts
FTP: Port 21, unencrypted file transfer protocol
Anonymous Login: Username: anonymous, password: blank — most common FTP misconfiguration
get command: Download a file to local machine in FTP (can't use cat on the server)
Misconfiguration: Wrong configuration = open door

🔑 General Hacker Mindset Summary

Ping first, then nmap: Is the target up? Is VPN working? Verify before anything else.
Run nmap with sC: Automatically detects vulnerabilities like anonymous FTP and default credentials.
Always try anonymous login on FTP: anonymous / blank password is the most common misconfiguration.
Don't use cat in FTP, use get: Download the file first, then read it in your local terminal.
Nothing set up as "temporary" ever stays temporary: The biggest security holes come from "this will do for now" decisions.

You might also want to look at these

Expressway

UDP Enumeration · TFTP · IKEv1 · PSK · XAUTH · Squid Proxy Log Analysis · CVE · 2025 · 32462Jun 2026

Baby

LDAP · smdpasswd · evil · winrm · SeBackupPrivilege · SAM · NTDS Extraction · pass the hash attackJun 2026

Bruno

Anonymous FTP · AS · REP Roasting · ZipSlip DLL Hijack · KrbRelayUp RBCDMay 2026

Reactor

RSC · CVE · 2025 · 55182 · V8 Inspector / Node.js Debug ProtocolMay 2026