_  _              _
     ___  __| || |__  _ _  ___| |__
    / -_)/ _` || '_ \| '_|(_-<| / /
    \___|\__,_||_.__/|_|  /__/|_\_\
                    u/edbrsk's blog

Real Case - ajtorello.cat | Hi, here you have the proftpd panel

Torelló is my hometown, I’ve been living there for almost idk, 15 years? Taking into account I moved to another place when I was a teenager.

Someday I was helping my mom to do some administrative tasks, the web was horrible, and surprise… I found on Google a link that was redirecting to another place, but I was able to read in the description “ajtorello.cat/proftpd” WTF? Is the proftd panel open to the Internet? Yes, it was! Actually, without any password, I was able to create an FTP account with 777 permissions.

Imagine what you can do…

Download/Upload resources, find SQL credentials, upload a web shell, etc. I was able to get a reverse shell, log in to one of their private resources, the ajtorello.cat/gestio. I lost the screenshots I took, but the login panel looks like this:

I reported via Twitter, and it’s already solved. Obviously, I didn’t get any reward for that. I hope that after four years they are paying more attention to their resources.

Remember… Humans are the weakest link in the Cybersecurity chain.

Share article