Scenario 3 – trivializing TFTP
Trivial File Transfer Protocol (TFTP) is an older service that presents blind FTP services to unauthenticated users. It was traditionally used to install lightweight, thin clients and transfer configurations from one location to another, similar to SNMP. Simply connect to the port, knowing the exact location of the file you want to copy, and copy away. The vulnerability here is that anyone who knows the kind of architecture hosting the TFTP service will be able to guess the location of sensitive files. There are numerous ways to make sure that TFTP is set up in a relatively safe way (though the lack of authentication does make it hard to justify), but that's not what we're after. We're after a nice vulnerable setup that we can chase down.
To start with, you need to decide which TFTP provider you want to use. You can score a double win here by selecting a build with vulnerabilities associated.
TFTPD32 2.2 is vulnerable to a buffer overflow, which can be a nice starting point for those beginning infrastructure tests and vulnerability assessments. For TFTPD32, there's an associated Metasploit module, and the version is disclosed in the headers, so a beginner can easily get a shell going. TFTPD32 also works on all architectures, is free, and provides older versions from their website. It is one of the best examples of a great resource for a CTF creator. It is available at http://tftpd32.jounin.net/.
Alternatively, you can enable the Windows TFTP solution through the Programs and Features and Enable Windows Features options for Windows 7 or equivalent options if running a different version. This has no known vulnerabilities to exploit with Metasploit or similar, but doesn't require hunting down to install.
Once downloaded, perform the following normal checks:
- Make sure Windows Firewall or other such solutions are off
- Make sure any antivirus is off if you intend to let testers use Metasploit
TFTP works by creating a socket directly to the folder you create it in. By default, it will be in a specific installation folder which only allows access to the installation files and README
files. This can be set up as a basic exploit, if you wish, by placing a flag file in the folder; however, you would have to tell the attackers the name of the file, which defeats the purpose of this challenge and the vulnerability underlying in TFTP. In order to make it more interesting, try setting up TFTP in root C:\
or hunting down a version that allows directory traversal. TFTPD32 won't allow users to go up directories, but will only allow them to travel down into the depths of whatever folder structure you have, so moving from the install folder to the System32
folder isn't possible.
Run the TFTP solution in whichever folder you wish, and test it from a remote location. An exploit guide can be found at the end of this chapter.
If you're using TFTPD32, your configuration should look like the next screenshot. The Create "dir.txt" files selection is optional because seasoned testers will look for it immediately as it will give away the structure of the directory. If you want to make the challenge harder, turn this off. Have a look at the following screenshot:
Vulnerabilities
There are multiple briefs available for this scenario dependent on which files you wish to host:
- SSH keys could be stored for use in further scenarios
- Credentials for other boxes
- Access to hashes on older OSs that are crackable
The key thing to remember when setting up a TFTP-related scenario is that the attackers will not be able to see which files are present or which folder they are in. This means that barring any default answers as shown in the exploit guide, they are unlikely to know what you've hidden there unless you give them clues. This can be set up as part of a larger exercise and is shown in situ in Chapter 6, Red Teaming.
This particular vulnerability can easily be set up on Linux, if required, by using a different installation. There are many TFTP packages for Linux; it's just a matter of picking one that suits you.