ProFTP

Port: TCP 2121
Service: ProFTPD 1.3.1

Vulnerability: Weak password policy. Lack of user account lockout after failed login attempts.

Mitigation: Require users to select strong passwords. Enforce account lockout policy for failed login attempts.

Proof of Concept
1. The victim’s machine is running ProFTP version 1.3.1 on port 2121. The first thing to try is to see if anonymous logins are enabled by entering the following in the terminal:

proftp-anonymous-login

It appears that we can’t login anonymously, so we’ll see if we can brute force to get usernames and passwords. There is an auxiliary module in Metasploit which will automate this process for us.

2. Open a terminal, and launch Metasploit. Once it’s opened, do a search for “ftp_login”.

proftp-msf-search-ftplogin

3. Now set Metasploit to use this module, and show the options available:

proftp-msf-showoptions

I already have the options set here – RHOSTS, PASS_FILE, RPORT, and USER_FILE. I chose to use the unix based wordlists available in the Metasploit directory shown above, but there are several others you could select.

4. The next thing to do is to run the module, and see if it gathers any username/password combinations. For simplicity, I’ve cropped out the majority of failed login attempts, and focused on the ones recovered.

proftp-ftp-login-users

Notice we have 3 accounts here, each with read/write access.

  • postgres:postgres
  • service:service
  • user:user

5. I’m going to use the “user” account, and see if that will let me login:

proftp-ftp-login-useracct

6. If we type in the “ls” command, we can see files that are available to this user:

proftp-useracct-ls-cmd

7. Of interest is the “.bash_history” file. This file may contain other information that could help us further compromise the victim machine. We can use the “GET” command to copy this file to our Kali machine, then view the contents.

proftp-get-bash-history

8. Once the file is copied, we can view its contents by using the “cat” command.

proftp-cat-bash-history

9. From this file, we see that an SSH key was created with this account, and added to another user’s (msfadmin) authorized_keys file. Let’s see if we’re able to SSH in with the “user” account:

proftp-ssh-useracct

10. This was successful, but we are running with limited permissions. This account does not have the ability to view the “/etc/shadow” file, but we can view “/etc/passwd”, and find out what other accounts may be available. Here is a snippet of the “passwd” file:

proftp-useracct-etcpasswd

11. From the “/etc/passwd” file, we do see other accounts, with “msfadmin” being one. Since the accounts we gathered from brute-forcing the FTP login had weak passwords, we will see if this account follows suit. Let’s see if we can SSH in as “msfadmin”, and if so, see if it has a higher level of permissions than the “user” account.

proftp-ssh-msfadmin

12. Success! This account is also using the same weak password logic as the other accounts. Now, this account itself isn’t running as root, but we can see if it is part of the sudoers group, and see if we can now read the “/etc/shadow” file.

proftp-msfadmin-etcshadow

If we look at “/etc/sudoers”, we can see that the group “admin” has been given rights to use sudo, and the “msfadmin” account is a member of the “admin” group. With this access level, we could continue to enumerate the victim’s machine, looking for configuration files, or other data that may be sensitive.

2 thoughts on “ProFTP
  1. Thank you so much for doing this and blogging about it. I follow your Youtube channel as well and I really really like what you are doing. Please do not stop and I really hope that you will cover ALL the tools in Kali 2.0 and take us through a real pen test scenario including the report writing part.

  2. Thank you for supporting me! It’s a work in progress, but I plan on working my way through as many tools as possible, as well as continuing tutorials on things like Metasploitable, and some of the other vulnerable VMs out there. Keep checking back!

Leave a Reply

Your email address will not be published. Required fields are marked *