FTP file transfer protocol is one of the oldest protocols in computer technology. It has its beginnings way back in 1971 and by modern standards offers very poor security. So in CTF challenges where ftp presents itself as a running service are usually very exploitable by utilizing mis-configurations.
Exploits of FTP in CTF Challenges
When engaging in CTF FTP challenges there are typically 5 main methods that the author of the challenge tries to utilize.
- Exploits in versions
- Hidden files
- Anonymous logins
- Hidden usernames and passwords
- Packet traces
Let’s explore each of these methods
Exploits in ftp software
Although more secure than regular old FTP, vsftpd has a surprise. In version 2.3.4 there is a hidden back door inserted into the software. Between June 30th 2011 and July 1st 2011 the back door was added to the code of Vsftpd. Therefore this resulted in making it very easy to exploit. It didn’t take long for the developers to find this flaw and patch it.
Due to the security risk of this version it often pops up in CTF challenges.
If Anonymous logins are enabled in FTP then you can login with the username: Anonymous and no password. The idea that should a thing is allowed is allow external users to connect to FTP services and download files. Typically in CTF challenges we find hidden files inside anonymous FTP servers that help us to move foward with the challenge.
An easy way to find anonymous ftp is to use nmap with the -sV option against your target IP address.
nmap -sV -sC -p 21 192.168.0.1
Hidden files in FTP directory Listings
Hidden files in FTP listings are similar to hidden files in Unix and Linux file systems. So any file that has a name that begins with a full stop is hidden from standard directory listing software. In order to view such trials commands must use extended options to view search files. For example “ls” on its own will not show the file but the following command will show all files.
Hidden Account Info
In the process of doing a CTF challenge you usually run an nmap scan against a server. If FTP service is found running but there is no anonymous login or software to exploit. Then somewhere in the challenge you will find the login details for the FTP server. Typically this is hidden in robots.txt or somewhere embedded inside the HTML code or on a samba share. The results of the nmap will have some other services listed that you should enumerate.
It’s important to note that if FTP service is running in a CTF challenge then for sure the login is hidden somewhere.
FTP is well known as an insecure protocol. If a package trace containing FTP connections is available then usually both the username and password are clearly visible in tools such as Wireshark. In the example in the image if we follow the ftp traffic we can clearly see the login details.
Securing FTP out side of CTF
These days there is no reason to use FTP. However if you have to secure it the best ways are,
- Patch to the latest version
- Disable anonymous ftp.
- Use a more secure protocol such as vsftpd.
Using the above methods for any CTF challenge you come across where you find an FTP service running should help you get by this challenge. In the real world it would be very unusual to find vulnerable FTP servers that have any of these exploits available.