CSAW 2015 - FTP 2 - Exploitables (300pts) writeup

The challenge description was: This challenge is a follow up to FTP, now exploit the service.

This is a follow-up challenge of: FTP Reversing writeup, this writeup will be terribly disappointing to many since most of the work has already been done in that first writeup.

I have no clue if I had to exploit anything as the title suggested since I just did the following to get the flag:

[window1]

mrt:~/ctf/csaw/reverse/ftp$ nc 54.175.183.202 12012
Welcome to FTP server
USER blankwall
Please send password for user blankwall
PASS cookie
logged in
PASV
PASV succesful listening on port: 63634

[window2]

mrt:~/ctf/csaw/reverse/ftp$ nc 54.175.183.202 63634

[window1]

LIST
LIST complete

[window2]

drwxr-xr-x 1 0 0 4096 Sep 20 05:22 ftp_0319deb1c1c033af28613c57da686aa7
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .bashrc
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .bash_history
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 run.sh
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 flag.txt
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .profile
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 .bash_logout
drwxr-xr-x 1 0 0 4096 Sep 20 05:22 re_solution.txt
drwxr-xr-x 1 0 0 4096 0 4096 .selected_editor

Using screen I run the client in window1, use the credentials I found in FTP Reversing challenge and used "PASV" to open a port. In window2 I use another client to connect to that new opened port specified. Running some commands in window1 will output in window2 and close window2 connection, so I tried "LIST" to get a listing of files in the current folder. We can see flag.txt, it looked too easy something is wrong:

[window1]

SIZE flag.txt
37
PASV
PASV succesful listening on port: 63531

[window2]

mrt:~/ctf/csaw/reverse/ftp$ nc 54.175.183.202 63531

[window1]

RETR flag.txt
connection accepted; transfer starting.
226 Transfer complete.

[window2]

flag{exploiting_ftp_servers_in_2015}

I guess there was a glitch somewhere, nothing to exploit apparently and all the work happened in the reversing challenge. Oh well..

We got our flag:

flag{exploiting_ftp_servers_in_2015}