FTP vulnerability allows to expose all confidential files of government website

Start With name of Allah, The Most Gracious and The Most Merciful.

Hey folks,
In this blog I will share you a cool technique that helps you to exploit ftp service of a website.

As we all know National Critical Information Infrastructure Protection Centre(NCIIPC) running vulnerability disclosure program for government websites. so I found a sub domain of gov.in website (example.gov.in)and start gathering information about it.

Before begin let’s see what is FTP…

What is FTP?

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network.

What is anonymous in FTP?

Using the Internet’s File Transfer Protocol (FTP), anonymous FTP is a method for giving users access to files so that they don’t need to identify themselves to the server. Using an FTP program or the FTP command interface, the user enters “anonymous” as a user ID. User “anonymous” has limited access rights to the archive host, as well as some operating restrictions.

The site admin can disable this functionality by changing the settings of FTP service.

So using google dorks i found a url of example.gov.in, the url consists a link that allows to download a document file. At that time i thought this is simple functionality provided by any website to download file from the server but i noticed the url, I found that it was accessing the file using ftp protocol instead of http or https.

URL :- ftp://example.gov.in/files/Document.pdf

I got a hint 💡 and than I decided to go more deeper in it. To find the open port i have used nmap tool for further enumeration. I found some open ports…..

As i found a ftp port open and also it allows to login using anonymous user.

But there was some twist, I have tried to connect ftp server using Terminal
(command: ftp example.gov.in)

Sometime the connection timed out and sometime it shows connection refused. maybe some firewall or IPS is blocking us to connect the server.
I lost the hope :(
I have searched CVE , exploits and vulnerabilities of the ftp but each one failed….still some hope 🤔🤔

We are hacker we can’t giving up at any situation :)

After spend couple of hours on enumeration I remember that one of my friend has shared a technique that used to add any network location(host) to our windows system.

Adding a network place in Windows allows you to access FTP, Windows file shares, and some HTTP servers (with FrontPage extensions loaded) directly in My Network Places.

Steps:-

1)Press Win+E to open Windows Explorer. Then right click to popup the sub-menu.

2)Then select option add network location then choose the protocol and enter the name of the host or website.

3)Now if you select ftp protocol it will ask you for username, add name of the user “anonymous” and click next.

You will see the network location of the particular host is added to your windows explorer.

When you double click on it 💥.

All the confidential files are exposed in explorer, we can easily download and see the content of files without any privilege.

There are lot many techniques to bypass the ftp restrictions, i have tried most of it but i failed. But this technique works well with this website (maybe due to some weak policy).

I reported to nciipc and got acknowledgement😃😃.

Hope you learned something good from this blog.
Thanks for reading.☺️☺️