Sunday, 9 January 2022

FTP Enumeration and Exploitation

 


I am using the TryHackMe machines to enumerate and exploit the FTP server. The module is present in Network Services lab. This lab is present for premium users only.

File Transfer Protocol is a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this.

A typical FTP session operates using two channels:

  • a command (sometimes called the control) channel
  • a data channel.

As their names imply, the command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.

The FTP server may support either Active or Passive connections, or both. 

  • In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it. 
  • In a Passive FTP connection, the server opens a port and listens (passively), and the client connects to it. 

Enumeration:

Perform NMAP scan on the IP address, and after a complete scan on the provided IP address we are able to view that there are two ports present which are port 21 and 80.



The FTP port and HTTP ports are open. The version FTP service is vsftpd 2.0.8 or later and on port 80 we have http service running and the service version is Apache httpd 2.4.29.

Now we should try to login to the ftp using default username “anonymous” and no password. Try to access the file for some sensitive information. According to the screenshot provided below we can see a file “PUBLIC_NOTICE.txt”. Fetch the .txt file from the FTP server. The command that we provide to access the FTP server is provided below:

                            ftp 10.10.61.190



As provided in the screenshot below access the .txt file and search for some sensitive information on the file.



Exploitation:

So, from our enumeration stage, we know:

    - There is an FTP server running on this machine

    - We have a possible username “Mike

By using the information provided above, we need to brute-force the password to the FTP server. Perform brute force using hydra as we have a possible username “mike” present with us.

The command that we use is provided below:

    "hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.61.190 ftp"

Let's break it down:

SECTION

FUNCTION

hydra

Runs the hydra tool

-t 4

Number of parallel connections per target

-l [user]

Points to the user who's account you're trying to compromise

-P

[path to dictionary] Points to the file containing the list of possible passwords

-vV

Sets verbose mode to very verbose, shows the login+pass combination for each attempt

[machine IP]

The IP address of the target machine

ftp / protocol

Sets the protocol



After performing a brute-force using hydra we were able to get a password for login using mike as the username. The password is “password”. By using this username and password we would try to login to the ftp server again and try to search file for the sensitive information (in this condition the flag).




There is a file present on “ftp.txt” on the ftp server after accessing the file we were able to view the flag.

 




No comments:

Post a Comment