Real Case - ajtorello.cat | Hi, here you have the proftpd panel
Torelló is my hometown, I’ve been living there for almost idk, 15 years? Taking into account I moved to another place when I was a teenager.
Someday I was helping my mom to do some administrative tasks, the web was horrible, and surprise… I found on Google a link that was redirecting to another place, but I was able to read in the description “ajtorello.cat/proftpd” WTF? Is the proftd panel open to the Internet? Yes, it was! Actually, without any password, I was able to create an FTP account with 777 permissions.
Imagine what you can do…
Download/Upload resources, find SQL credentials, upload a web shell, etc. I was able to get a reverse shell, log in to one of their private resources, the ajtorello.cat/gestio. I lost the screenshots I took, but the login panel looks like this:
I reported via Twitter, and it’s already solved. Obviously, I didn’t get any reward for that. I hope that after four years they are paying more attention to their resources.
Remember… Humans are the weakest link in the Cybersecurity chain.