FTP
Nmap discovered a FTP server on the target port 21
The running service is ProFTPD 1.3.5a
┌──(kali㉿kali)-[~/archive/htb/labs/blocky]
└─$ ftp $IP
Connected to 10.10.10.37.
220 proftpd 1.3.5a server (debian) [::ffff:10.10.10.37]
name (10.10.10.37:kali): anonymous
331 Password required for anonymous
password: anonymous
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.The target FTP server requires authentication
notch Session
┌──(kali㉿kali)-[~/archive/htb/labs/blocky]
└─$ ftp $IP
Connected to 10.10.10.37.
220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.10.10.37]
Name (10.10.10.37:kali): notch
331 Password required for notch
Password:
230 User notch logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||20080|)
150 Opening ASCII mode data connection for file list
drwxrwxr-x 7 notch notch 4096 Jul 3 2017 minecraft
-r-------- 1 notch notch 33 Sep 19 05:43 user.txt
226 Transfer completeThe leaked credential worked against the target FTP server This may suggest that I could connect directly to the target system via SSH
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/blocky]
└─$ searchsploit ProFTPD 1.3.5
------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
------------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No Resultsproftpd 1.3.5 has been known for its mod_copy bug