FTP - 21

Nmap shows that anonymous login is enabled

ftp [email protected]
Connected to 10.10.10.98.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
425 Cannot open data connection.
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.
ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-23-18  08:16PM              5652480 backup.mdb
226 Transfer complete.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
  3% |****                                                                                                                                            |   167 KiB  167.22 KiB/s    00:32 ETAftp: Reading from network: Interrupted system call
  0% |                                                                                                                                                |    -1        0.00 KiB/s    --:-- ETA
550 The specified network name is no longer available. 
WARNING! 68 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
ftp> cd ..
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.
ftp> cd Engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18  12:16AM                10870 Access Control.zip
226 Transfer complete.
ftp> get 'Access Control.zip'
local: Control.zip' remote: 'Access
200 PORT command successful.
550 The system cannot find the file specified. 
ftp> get Access\ Control.zip
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************| 10870       16.70 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 45 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
10870 bytes received in 00:00 (14.97 KiB/s)

ftp> bin
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************|  5520 KiB    1.20 MiB/s    00:00 ETA
226 Transfer complete.
5652480 bytes received in 00:04 (1.18 MiB/s)

I tried opening the .zip file but it requires a password.

I was able to open the .mdb file on https://www.mdbopener.com/.

In there, I find a table called Auth_User:

id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

With the password access4u@security I was able to extract from the .zip file. Inside of it there is a .pst file which I was able to open using https://goldfynch.com/pst-viewer/index.html

Here we find more credentials: security:4Cc3ssC0ntr0ller

I'll also note the email: [email protected]

PreviousEnumeration Next80

Last updated 10 months ago