FTP Bounce - Download 2ºFTP file

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Get a hacker's perspective on your web apps, network, and cloud

Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.

Resume

If you have access to a bounce FTP server, you can make it request files of other FTP server (where you know some credentials) and download that file to your own server.

Requirements

FTP valid credentials in the FTP Middle server
FTP valid credentials in Victim FTP server
Both server accepts the PORT command (bounce FTP attack)
You can write inside some directory of the FRP Middle server
The middle server will have more access inside the Victim FTP Server than you for some reason (this is what you are going to exploit)

Steps

Connect to your own FTP server and make the connection passive (pasv command) to make it listen in a directory where the victim service will send the file
Make the file that is going to send the FTP Middle server t the Victim server (the exploit). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
Connect to the FTP Middle Server and upload de previous file
Make the FTP Middle server establish a connection with the victim server and send the exploit file
Capture the file in your own FTP server
Delete the exploit file from the FTP Middle server

For a more detailed information check the post: http://www.ouah.org/ftpbounce.html

Get a hacker's perspective on your web apps, network, and cloud

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousFTP Bounce attack - Scan Next22 - Pentesting SSH/SFTP

Last updated 4 months ago

Resume

If you have access to a bounce FTP server, you can make it request files of other FTP server (where you know some credentials) and download that file to your own server.

Requirements

FTP valid credentials in the FTP Middle server

FTP valid credentials in Victim FTP server

Both server accepts the PORT command (bounce FTP attack)

You can write inside some directory of the FRP Middle server

The middle server will have more access inside the Victim FTP Server than you for some reason (this is what you are going to exploit)

Steps

Connect to your own FTP server and make the connection passive (pasv command) to make it listen in a directory where the victim service will send the file

Make the file that is going to send the FTP Middle server t the Victim server (the exploit). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.

Connect to the FTP Middle Server and upload de previous file

Make the FTP Middle server establish a connection with the victim server and send the exploit file

Capture the file in your own FTP server

Delete the exploit file from the FTP Middle server

Get a hacker's perspective on your web apps, network, and cloud