CSAW 2015 - FTP 2 - Exploitables (300pts) writeup
The challenge description was: This challenge is a follow up to FTP, now exploit the service.
This is a follow-up challenge of: FTP Reversing writeup, this writeup will be terribly disappointing to many since most of the work has already been done in that first writeup.
I have no clue if I had to exploit anything as the title suggested since I just did the following to get the flag:
[window1]
mrt:~/ctf/csaw/reverse/ftp$ nc 54.175.183.202 12012
Welcome to FTP server
USER blankwall
Please send password for user blankwall
PASS cookie
logged in
PASV
PASV succesful listening on port: 63634
[window2]
mrt:~/ctf/csaw/reverse/ftp$ nc 54.175.183.202 63634
[window1]
LIST
LIST complete
[window2]
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 ftp_0319deb1c1c033af28613c57da686aa7
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .bashrc
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .bash_history
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 run.sh
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 flag.txt
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .profile
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .bash_logout
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 re_solution.txt
drwxr-xr-x 1 0 0 4096 0 4096 .selected_editor
Using screen I run the client in window1, use the credentials I found in FTP Reversing challenge and used "PASV" to open a port. In window2 I use another client to connect to that new opened port specified. Running some commands in window1 will output in window2 and close window2 connection, so I tried "LIST" to get a listing of files in the current folder. We can see flag.txt, it looked too easy something is wrong:
[window1]
SIZE flag.txt
37
PASV
PASV succesful listening on port: 63531
[window2]
mrt:~/ctf/csaw/reverse/ftp$ nc 54.175.183.202 63531
[window1]
RETR flag.txt
connection accepted; transfer starting.
226 Transfer complete.
[window2]
flag{exploiting_ftp_servers_in_2015}
I guess there was a glitch somewhere, nothing to exploit apparently and all the work happened in the reversing challenge. Oh well..
We got our flag:
flag{exploiting_ftp_servers_in_2015}