Attacking Common Services - Medium

Would anyone be able to help provide a nudge for this on finding the initial username? I feel like I’m missing something obvious, but I don’t seem to be getting anywhere with the 4 ports showing as open for this. I’ve been able to perform a zone transfer and tried to brute force the domains returned, but haven’t gotten anywhere with it.

I’ve seen it mentioned in other threads that there should be an non-standard port that stands out, which I took to mean it would not be one normally seen in the top 1000 by nmap, but I haven’t been able to find any other than the 4 mentioned above that are all relatively common.

Yes, there is a service that does not run on a standard port. Maybe you have to restart the lab and run a scan again with NMAP.
Maybe wait a few minutes after starting the lab.


Thanks. For some reason I had to restart the lab several times before those ports showed up, but I got it now.

1 Like

Thats few days I’m trying to run on that one. Found 6 open ports, found a file in one of these, with name s*****.
Used the name to try and brute passwords for services where it was possible.
Tried bigger lists for brute but the 90min elusive target makes it an obvious no-go.
Am I missing something ?
edit : Forget it … I need more sleep :clown_face:

I finished the hard lab the questions provided info, this ‘blackbox’ medium lab is putting me in brute force h word. I have to nmap/respawn severel times to get the ‘other’ service to show as open. Any hints?

judging from the comments there’s an anonymous login somewhere I guess, I’m going back to the footprinting module for clues

got it

HTB suggest that you wait up to 5 minutes after target spawns to get full access to all avaible services/ports.

1 Like

Hi i found the username and im brute frocing everything didn’t get my way in any hints please kinda stuck

Did you find the mynotes.txt file?

1 Like

nvm i need to sleep xD

1 Like

finally :slight_smile: i love this machine because first time i completed a machine within 5mins
–>run rustscan or nmap -p- for all ports
→ run nmap with default scipts on openports you need to observe output carefully
→ connect to ssh using hydra

1 Like

Scan all the 65535 ports.

login to ftp and find mynotes.txt

brute force ssh using mynotes.txt

login to ssh, find the flag.

Happy Hacking

Hello! Do you have any tips on how to log in to the FTP server?

I’ve tried brute-forcing with hydra and the module resources (users.list & pws.list), as well as using custom userpass lists, such as:

Obviously I’ve also tried an anonymous login, but did not succeed :thinking:. I also tried using all nmap ftp scripts on the ftp port, as such: nmap --script ftp-* TARGET_IP -p 2121 with no luck.

Thought I might be using the wrong port, but even aggresive scans using the -T option didn’t reveal any other FTP services running on the target server.

Maybe there’s some significance to the fact that the FTP service is running behind a proxy?

in ftp simon is a directory, cd Simon. you will find the wordlists there.

@All if you dont get it with this… idk

I’m stuck on the “Attacking Common Services - Medium” skill assessment as well. Found common service running on not standard port 2***. I tried anonymous login, nmap scripts, and brute-forcing with various lists even the ones provided in the resources with no luck.
Some tips would be greatly appreciated.

I managed to solve this after multiple target restarts the missing port appeared.
Here is a small tip for anyone that might have the same problem as I had: There should be 6 open TCP ports


Just a heads up for people coming here too early, make sure you leave at least 5 MINUTES before running your first nmap -p- scan… that is a key here!

1 Like

I am stuck how to login FTP server…
I used ftp command, it can access.
open <IP address> 2121
I have tried brute-forcing with hydra and module resources (users.list & pws.list ), but can not find valid credential…
How do I get user-name and password on FTP?

Here’s a nudge: you should at least see 5 total ports or more. in this case, consider resetting the machine.


Thank you very much :smiley:
resolved it.
I lost a little time…