Introduction

FTP is widely used for file transfers. If properly misconfigured, it could allow an attacker to download sensitive information, upload malicious files, and exploit log files for Remote Code Execution. Therefore, it is imperative to thoroughly footprint FTP during penetration test.

Today we will go over the questions in the Footprinting FTP module in Hack The Box Academy. Please note, the answers have been redacted. Please use this as a look into thought process during the FTP footprinting process instead of getting quick answers!

1. Which version of the FTP server is running on the target system? Submit the entire banner as the answer.

First we will run nmap on ftp port (21) with default scripts -sC and enumerate versions -SV. We will also get in the habit of saving nmap output in all formats for documentaiton purposes by using -oA <filename>:

sudo nmap -sC -sV -p21 10.129.134.185 -oA ftp

# Nmap 7.94SVN scan initiated Sat May 18 20:13:32 2024 as: nmap -sC -sV -p21 -oA ftp 10.129.134.185
Nmap scan report for 10.129.134.185
Host is up (0.051s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 [Redacted Version]
<SNIP>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 20:14:47 2024 -- 1 IP address (1 host up) scanned in 75.06 seconds

We can also enumerate with banner grabbing using netcat:

nc 10.129.134.185 21              
220 [Redacted Version]

2. Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.

Lets check to see if anonymous login is allowed:

ftp anonymous@10.129.134.185
Connected to 10.129.134.185.
220 [Redacted Version]
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Looks like anonymous login works! Lets enumerate:

tp> dir
229 Entering Extended Passive Mode (|||23707|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt

We see there is a file owned by ftpuser named flag.txt. It also looks like we have read access to it. Lets download it:

ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||16643|)
150 Opening BINARY mode data connection for flag.txt (39 bytes)
    39       20.22 KiB/s 
226 Transfer complete
39 bytes received in 00:00 (0.42 KiB/s)

Now that we have transferred it to our machine, we can read it:

cat flag.txt                    
[Redacted Flag]

And we have succesfully grabbed the flag!