Academy: Attacking Common Services | Attacking FTP

Guys my experience with HTB modules that: you will always find the solution in the module if not you most probably doing something wrong no complication, it’s always straightforward.
Whoever stuck I finished the module
when you do nmap you should read the result about the port and its number, it’s not the default port number.
Follow all steps in the module
then use all resources files that u find to brute force
and you will definitely find the answer from there

1 Like

For anyone stuck here. The wordlists you require to brute force ssh can be found by logging in to the ssh server anonymously <3

I have found the credentials on the ftp and am now trying to brute force the other accounts. I have found the user r*. I am trying to brute force it with medusa and crackmapexec and hydra:

  • medusa -v 6 -u r**** -P passwords.list -h $TARGET -M ftp -n ****
  • crackmapexec ftp $TARGET -u r**** -p ./passwords.list --port ****
  • hydra -l r*****-P ./passwords.list ftp://$TARGET:****

I am getting locked out after the first attempts because I am sending to many requests. Does anyone of you know how to reduce the speed of the requests or add a delay?

You found something? Man this one is hel* on earth.

See my posts from Nov 22 above.

1 Like

Thank you for you help :slight_smile: By the way, for anyone having a hard time with bruteforcing, use potator. It’s really a life savor,it worked perfectly for me. Don’t be stuborn like i was re-trying hydra 200 times, just go with potator. It’s a fantastic tool. Only, i don’t know why potator worked when all other tools did not. If anyone knows the awnser to this, i would like to hear it.

beyond the many charlatans who speak uselessly, I want to give concrete advice and suggestions. First of all, using Medusa without the correct pass list is a waste of effort that drives you mad.
first become root on your terminal
Simply log in via ftp
wait a moment, don’t rush, it has to come out
‘‘name:’’ type anonymous
download the passlist file
and only at this moment can you use medusa
basically ftp recognizes the type of connection based on the user requesting it, if a normal user requests it - not root - it will let you log in as normal users and you won’t be able to do anything
instead if you connect as root it will log you in as root and you can download the files correctly
happy hacking

1 Like

Use the command: lftp -p 2121 -u anonymous, (LFTP - the manual page), to download the usernames and password files. To bruteforce use the command below:
medusa -U users.list -P passwords.list -h -M ftp -n 2121 -t 10 -f > ftp_credentials.txt 2>&1

Or you can use Patator to bruteforce the password file:

patator ftp_login host= port=2121 user=FILE0 0=users.txt password=FILE1 1=passwords.list -x ignore:code=500 -x reset:code=230 -x ignore:mesg=‘Login incorrect’ > ftp_logins.txt 2>&1. With this command you should be able to get the Username: robin’s password

1 Like

NOTE: the box is tricky you have to reset the couple of times to get FTP open port

Awesome! I totally skipped over the other file.
I went into the system a little different, Found the FTP creds for j**** then pulled his id_rsa file to get a ssh session then just passed the other file over. Medusa was quick from that point.

Thanks so much.

loll, i am working on an ftp machine but instead getting credentials and flags for smb exercise :rofl: :rofl:

Interesting tool, thank you!

Not sure if I did anything wrong, but I am unable to bruteforce the FTP server with the correct passlist extracted. Tried with both medusa and crackmapexe, it went pass the right password and detected it as incorrect. I had to bruteforce SSH directly in order to find out the password.

I had to reload the box 8 times just to get to a session where the port was actually open. Ive about had it with HTB Academy man.


If you want to speed up the cracking a bit, you can use hydra in place of Medusa. Medusa is so slow.

hydra -L /home/kaliadmin/aftp/users.list -P /home/kaliadmin/aftp/passwords.list

That will save some time.

Hey guys if you can’t see the ftp port just restart the machine! the first time the machine doesn’t spawm the FTP port then the solution is RESTART

1 Like

Using Medusa, you can finde the correct credentials of R— :slight_smile:

did you use password/usernames list from resources or ftp. From FTP i can only download passwords list as anonymous

Hey brother just got the last flag this is a bit confusing as I was using the password/user_name list provided in the HTB modal you need to download the password/User list to do the last question (found on the FTP server) and get R’s password if you try to hydra the ssh using the provided HTB resources list it does not work this is on top of if the FTP server boots and runs correctly as one of my road blocks with this was just trying to get it to show up on the nmap scan and then dealing with a bunch of false positives with medusa

PS any HTB admins see this post please fix the box it was really Infuriating have to reboot the box MANY times to just get the FTP server to work.