July 11, 2026
Walkthrough: File Hunter & The Basics of FTP Enumeration
Welcome to this write-up for the “File Hunter” task. In this post, we will explore the fundamentals of File Transfer Protocol (FTP) and…
By DRDsec
2 min read
Welcome to this write-up for the "File Hunter" task. In this post, we will explore the fundamentals of File Transfer Protocol (FTP) and walk through a practical scenario of enumerating a target server to extract sensitive information.
What is FTP?
FTP (File Transfer Protocol) is a network protocol designed for transferring files over the internet. Developed in 1971, it allows users to upload files to or download files from servers, making it highly useful for website management and data sharing.
The architecture usually consists of two basic components:
- The FTP Server: A centralized computer where files are stored and made available to the outside world.
- The FTP Client: The software that allows users to connect to the server and transfer those files.
While FTP continues to be popular due to its wide compatibility and ease of use, it is an unencrypted protocol, which carries some risks for data security. Because of this, SFTP (SSH File Transfer Protocol) or FTPS (FTP Secure) are often preferred as secure alternatives for transferring sensitive data.
The Mechanics of an FTP Connection
Users usually connect to an FTP server using a username and password. The basic command string to initiate this connection from a terminal is:
ftp <SERVER-IP-ADDRESS> -P <PORT-NUMBER>ftp <SERVER-IP-ADDRESS> -P <PORT-NUMBER>Note: You do not need to specify a port number when connecting if the FTP service is running on its default port, which is port 21.
Some servers are configured to allow anonymous access. Anonymous FTP allows anyone to access specific files on the server without requiring a valid username and password. This is often used for the distribution of public data, open-source software, or large files. To connect anonymously, you simply type "anonymous" in the username field and keep the password field blank.
Practical Walkthrough: File Hunter
Step 1: Information Gathering
We start our enumeration by running a port scan against our target machine. To learn the specific version information of the running services, we add the -sV parameter to our Nmap command.
root hackerbox:~# nmap -sV 172.20.13.154root hackerbox:~# nmap -sV 172.20.13.154The scan results reveal that port 21 is open and running the vsftpd 2.0.8 or later service.
Step 2: System Access
Knowing that an FTP service is active, let's try to connect to the target machine.
root hackerbox:~# ftp 172.20.13.154root hackerbox:~# ftp 172.20.13.154Before we even enter any credentials, we are greeted with a welcome message: 220 Welcome to anonymous Hackviser FTP service.. Taking the hint from this banner, we attempt to connect anonymously by providing anonymous as the name.
The server responds with 230 Login successful.. We have successfully bypassed authenticated access.
Step 3: Navigating and Extracting Loot
Once a connection is established, users can view and download files from the server. To navigate our new environment, we can rely on a few important FTP commands:
- help: Shows the commands that can be run and gives information about them.
- dir / ls: Lists the contents of a remote directory.
- get: Used to get (receive) a file.
- bye: Ends the FTP session and exits.
We run the ls command to view the files hosted on the server we are connected to. The directory listing reveals an interesting file named userlist.
To extract this file to our local machine, we use the get command, and then immediately close our FTP session using the bye command.
ftp> get userlist ftp> byeftp> get userlist ftp> byeStep 4: The Reveal
Now that the file is on our local system, we just need to read its contents using the cat command.
root hackerbox:~# cat userlistroot hackerbox:~# cat userlistThe file output reveals cleartext credentials stored on the server:
jack:hackviserroot:root
Conclusion
This completes all the tasks in this warmup challenge. While anonymous FTP provides easy accessibility and makes it simpler to share information, this exercise demonstrates why server owners must carefully manage accessible content for security reasons. Leaving sensitive files like credentials in an open directory is a critical misconfiguration.