We’ve all heard about the File Transfer Protocol (FTP), a network protocol designed to facilitate fast connections between the hosting server and subscribers, enabling file upload, download, modification, and creation. In FTP, one device acts as the client and the other as the server. When the client sends requests to the server—for example, to download, upload, or modify a file—the server responds and sends the requested file to the client.
The FTP protocol utilizes two port numbers: 20 for data transfer and 21 for command transmission.
FTP Active Mode
FTP operates in two modes: Active mode and Passive mode. In Active mode, the client sends commands to and receives data from the FTP server, interacting by downloading, uploading, modifying, and deleting files. Requests are sent on port 21, and responses are received on port 20.
FTP Passive Mode
In Passive mode, the client sends a connection request on port 21 and directly uses port 20 to transmit data to the server.
Enumeration
Target machine IP address: 10.129.120.167
After connecting to the target network, let’s verify our connection by pinging the target IP address:
e@e:~$ ping 10.129.120.167
We received a reply from the target machine, indicating that it’s alive and reachable. Next, let’s scan the target IP address using the nmap tool to check for any open ports and their versions:
e@e:~$ nmap -sV 10.129.120.167
We identified an open FTP server running vsftpd 3.0.3 on a Unix OS.
Foothold
Before attacking the FTP server, let’s ensure that we have the latest version of the FTP client installed on our machine:
e@e:~$ sudo apt install ftp -y
Now, let’s connect to the FTP server:
e@e:~$ ftp 10.129.120.167
The server requested user credentials for authentication. Since anonymous access might be enabled, we attempted to log in with the username ‘anonymous‘ and any password we like, I will use ‘root’, which succeeded.
After accessing the server, we listed the files using the ls command:
ftp> ls
As we can see here, we have a file called ‘flag.txt’; if the user tries to echo ‘cat flag.txt‘ just like in any normal machine, it won’t run because remember, here we are extracting a specific file. The FTP protocol has some specifications and commands that depend on the OS. Since the server is running Linux, we need to learn what FTP commands we can use for this machine, which are here.
Since we found a file named ‘flag.txt’, we can use the get command to download it:
ftp> get flag.txt
We have successfully extracted the file, but something is interesting in the final output, which is:
226 Transfer complete.
Now, what 226 means? Well, after every action the user performs in an FTP server, it gets a specific return code indicating the final result of the operation, and each digit in that number donates a specific meaning. Moreover, since there are many, you can also find the FTP server return codes here.
In our case, we got a 226 return code: Closing data connection. Requested file action successful (for example, file transfer or file abort).
After successfully extracting the file we can exit the server using the following command:
ftp> bye
Since we got back to our machine and extracted the file successfully, we should find the file in the last path we were in before accessing the server, so we can list the files on the current path using the following command:
e@e:~$ ls -l
We can see the file is there! Let’s try to open that file and get the flag from it by echoing the following command:
e@e:~$ cat flag.txt
Prevention Suggestions
If we analyze our attack, we will notice that credentials played a vital role in gaining access to the machine by exploiting the anonymous user. Therefore, it is crucial to ensure that anonymous FTP access is disabled. Additionally, consider closing the FTP port if it is not regularly used. Also, the FTP server software should continually be updated to mitigate potential vulnerabilities, such as the one identified in vsftpd 3.0.3 CVE-2021-30047.
Answering HTB Questions
1- What does the 3-letter acronym FTP stand for?
- File Transfer Protocol
2- Which port does the FTP service listen on usually?
- 21
3- What acronym is used for the secure version of FTP?
- SFTP
4- What is the command we can use to send an ICMP echo request to test our connection to the target?
- ping
5- From your scans, what version is FTP running on the target?
- vsftpd 3.0.3
6- From your scans, what OS type is running on the target?
- Unix
7- What is the command we need to run in order to display the ‘ftp’ client help menu?
- ftp -h
8- What is username that is used over FTP when you want to log in without having an account?
- anonymous
9- What is the response code we get for the FTP message ‘Login successful’?
- 230
10- There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system?
- ls
11- What is the command used to download the file we found on the FTP server?
- get
12- What is the root flag?
- 035db21c881520061c53e0536e44f815