Academy: Attacking Common Services | Attacking FTP

softpillow · August 19, 2023, 3:58pm

Guys my experience with HTB modules that: you will always find the solution in the module if not you most probably doing something wrong no complication, it’s always straightforward.
Whoever stuck I finished the module
when you do nmap you should read the result about the port and its number, it’s not the default port number.
Follow all steps in the module
then use all resources files that u find to brute force
and you will definitely find the answer from there

johny · September 18, 2023, 8:16pm

For anyone stuck here. The wordlists you require to brute force ssh can be found by logging in to the ssh server anonymously <3

Mx0ff · September 28, 2023, 1:38pm

I have found the credentials on the ftp and am now trying to brute force the other accounts. I have found the user r*. I am trying to brute force it with medusa and crackmapexec and hydra:

medusa -v 6 -u r**** -P passwords.list -h $TARGET -M ftp -n ****
crackmapexec ftp $TARGET -u r**** -p ./passwords.list --port ****
hydra -l r*****-P ./passwords.list ftp://$TARGET:****

I am getting locked out after the first attempts because I am sending to many requests. Does anyone of you know how to reduce the speed of the requests or add a delay?

elsamito00 · October 15, 2023, 9:10am

You found something? Man this one is hel* on earth.

kruemel · October 15, 2023, 6:05pm

See my posts from Nov 22 above.

elsamito00 · October 16, 2023, 10:01pm

Thank you for you help By the way, for anyone having a hard time with bruteforcing, use potator. It’s really a life savor,it worked perfectly for me. Don’t be stuborn like i was re-trying hydra 200 times, just go with potator. It’s a fantastic tool. Only, i don’t know why potator worked when all other tools did not. If anyone knows the awnser to this, i would like to hear it.

0xb1nary · December 19, 2023, 12:39pm

Hi, this section took me ages so I wanted to share what I figured out incase it helps the next person…

Once I had the right username and password list I used the following command to speed up Medusa:

medusa -U users.list -P passwords.list -h 10.129.1.45 -M ftp -n 2121 -t 200 -f

-t 200 is the number of threads and…
-f will stop Medusa from scanning once a valid set of credentials has been found.

200 was a random number for me, it might be able to be sped up further still.

Resource: Medusa help page

shinobi · February 17, 2024, 8:17pm

beyond the many charlatans who speak uselessly, I want to give concrete advice and suggestions. First of all, using Medusa without the correct pass list is a waste of effort that drives you mad.
first become root on your terminal
Simply log in via ftp
wait a moment, don’t rush, it has to come out
ftp.
.
snip
.
‘‘name:’’ type anonymous
download the passlist file
and only at this moment can you use medusa
basically ftp recognizes the type of connection based on the user requesting it, if a normal user requests it - not root - it will let you log in as normal users and you won’t be able to do anything
instead if you connect as root it will log you in as root and you can download the files correctly
happy hacking

jbanday · March 14, 2024, 5:23pm

Use the command: lftp -p 2121 -u anonymous, 10.129.203.6 (LFTP - the manual page), to download the usernames and password files. To bruteforce use the command below:
medusa -U users.list -P passwords.list -h 10.129.203.6 -M ftp -n 2121 -t 10 -f > ftp_credentials.txt 2>&1

jbanday · March 17, 2024, 3:21am

Or you can use Patator to bruteforce the password file:

patator ftp_login host=10.129.109.42 port=2121 user=FILE0 0=users.txt password=FILE1 1=passwords.list -x ignore:code=500 -x reset:code=230 -x ignore:mesg=‘Login incorrect’ > ftp_logins.txt 2>&1. With this command you should be able to get the Username: robin’s password

XPR · March 19, 2024, 9:53pm

NOTE: the box is tricky you have to reset the couple of times to get FTP open port

cadmius · March 28, 2024, 3:44pm

Awesome! I totally skipped over the other file.
I went into the system a little different, Found the FTP creds for j**** then pulled his id_rsa file to get a ssh session then just passed the other file over. Medusa was quick from that point.

Thanks so much.

k1r4a · April 4, 2024, 9:00pm

loll, i am working on an ftp machine but instead getting credentials and flags for smb exercise

Zuzumebachi · April 20, 2024, 2:48pm

Interesting tool, thank you!

Karigon · May 1, 2024, 11:23pm

Not sure if I did anything wrong, but I am unable to bruteforce the FTP server with the correct passlist extracted. Tried with both medusa and crackmapexe, it went pass the right password and detected it as incorrect. I had to bruteforce SSH directly in order to find out the password.

SkunkDitchRaid · May 16, 2024, 11:43pm

I had to reload the box 8 times just to get to a session where the port was actually open. Ive about had it with HTB Academy man.

SkunkDitchRaid · May 16, 2024, 11:56pm

If you want to speed up the cracking a bit, you can use hydra in place of Medusa. Medusa is so slow.

hydra -L /home/kaliadmin/aftp/users.list -P /home/kaliadmin/aftp/passwords.list ftp://10.129.101.51:2121

That will save some time.