> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/ftp/trick-0005.md).

# FTP Full Filesystem Access

***

Gain initial access by leveraging anonymous FTP access configured to expose the entire filesystem.

Before attempting a manual connection, it's often useful to enumerate the FTP service to gather more information. You can run Nmap scans to identify if the FTP service is open on the target network and to check for specific configurations like anonymous access.

An Nmap script scan can be particularly helpful for FTP enumeration:

```bash
nmap --script "ftp*" -p 21 <target-ip>
```

Breakdown of some relevant scripts that might be run by `ftp*`:

1. `ftp-anon`: Checks if anonymous login is allowed. This is key for our initial goal.
2. `ftp-syst`: Retrieves system information using the SYST command, which can help in understanding the server environment.

It's important to consider that this approach is “noisy,” meaning it can trigger alarms on intrusion detection systems (IDS) or firewalls due to the amount of activity generated by these enumeration scripts.

Once you've identified a potential target, connect to the target FTP server and attempt to log in anonymously.

```bash
ftp <target_ip>
```

When prompted for credentials, use common anonymous credentials:

```
Name: ftp
Password: ftp
```

(Alternatively, some servers accept `anonymous` as the username and an email address or any string as the password.)

If the server allows anonymous login and provides access to the root filesystem (or other sensitive directories), you can browse directories and download files. Standard FTP commands include:

```bash
ls -la /          # List contents of the root directory
cd /<directory>   # Change directory
get <filename>    # Download a file
```

When attempting to download files, also check for directory traversal vulnerabilities. These occur when an attacker can manipulate the file path to access files outside the intended directory structure. This typically happens when input validation on file paths is insufficient, allowing attackers to “traverse” up the directory tree using patterns like `../`.

For example, to exploit a directory traversal vulnerability, you might try to manipulate the path with the `get` command:

```
ftp> get ../../../../etc/passwd
```

In this example, the command attempts to retrieve the `/etc/passwd` file by moving up four directory levels (the exact number of `../` may vary depending on the server's directory structure). If the server is vulnerable, it will grant access to sensitive system files that should be protected.

Additionally, try to determine if any directories are writable by the anonymous user. If writable directories are found, this could allow for uploading files, potentially escalating the impact on the server. Test for write permissions in accessible directories.

If anonymous login is disabled or fails, you might attempt to brute force login credentials. Tools like Hydra can be used for this purpose.\
This Hydra command is designed to perform a brute-force attack on an FTP server by trying multiple username and password combinations:

```bash
hydra -L <path_to_usernames_list> -P <path_to_passwords_list> ftp://<target_ip>
```

Breakdown:

* `hydra`: This is the main command for the Hydra tool.
* `-L <path_to_usernames_list>`: The `-L` option specifies the path to a file that contains a list of usernames to be tested. If you have a specific username, you can use `-l <username>` instead.
* `-P <path_to_passwords_list>`: The `-P` option specifies the path to a password list file, which contains the passwords Hydra will attempt for each username.
* `ftp://<target_ip>`: This specifies the target protocol (FTP) and the IP address of the FTP server.

Hydra will systematically attempt to log in to the FTP server using all combinations of usernames and passwords from the specified lists. If a valid combination is found, Hydra will display the correct username and password pair. Be aware that this command performs a brute-force attack, which is highly "noisy" and can trigger alerts on security systems. The success of this attack depends on the quality and relevance of the username and password lists.
