Crocodile Starting Point HackTheBox Challenge Walkthrough.

protonsec
5 min readJul 31, 2022
Crocodile Starting Point HackTheBox Challenge Walkthrough
Crocodile Starting Point HackTheBox Challenge Walkthrough

Crocodile is really awesome challenge by HackTheBox to practice skills related to Hacking. In today’s writeup we are going to solve this challenge.

Crocodile Starting Point HackTheBox Walkthrough

First of all fire your terminal and scan for services running on the machine like

wesecure1337@kali:~$ nmap -sC 10.129.97.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 16:53 IST
Nmap scan report for 10.129.97.148
Host is up (0.48s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.80
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http
|_http-title: Smash - Bootstrap Business Template
Nmap done: 1 IP address (1 host up) scanned in 68.81 seconds

Here -sC is used to specify that we want to scan for this server for known vulnerabilities.

In your terminal type nmap the help page of nmap is open

wesecure1337@kali:~$ nmap
...
-sC: equivalent to --script=default
...

-sC specify the default scripts.

From scan results our useful information is

PORT   STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.80
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http
|_http-title: Smash - Bootstrap Business Template

We can clearly see that we can login onftp using anonymous as username.

Let’s solve the Tasks

TASK 1What nmap scanning switch employs the use of default scripts during a scan?
-sC

Let’s scan for version information on ftpserver

wesecure1337@kali:~$ nmap -sV -p21 10.129.97.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 17:01 IST
Nmap scan report for 10.129.97.148
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

This brings us to

TASK 2What service version is found to be running on port 21?
vsftpd 3.0.3

Now let’s login to the ftp

wesecure1337@kali:~$ ftp 10.129.97.148
Connected to 10.129.97.148.
220 (vsFTPd 3.0.3)
Name (10.129.97.148:wesecure1337): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Finally we are logged into the ftp server

TASK 3What FTP code is returned to us for the "Anonymous FTP login allowed" message?
230

Now we are going to explore the ftp

ftp> ls
229 Entering Extended Passive Mode (|||45302|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
226 Directory send OK.
ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||41011|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |***************************************| 33 0.04 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:01 (0.02 KiB/s)
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||42792|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |***************************************| 62 0.09 KiB/s 00:00 ETA
226 Transfer complete.
62 bytes received in 00:01 (0.05 KiB/s)
ftp>

get command is used to get files from the ftp server to our local machine.

TASK 4What command can we use to download the files we find on the FTP server?
get

Now we have two files viz. allowed.userlist and allowed.userlist.passwd. Come back to your main machine and check for the files

ftp> exitwecesure1337@kali:~$ ls
allowed.userlist
allowed.userlist.passwd
wecesure1337@kali:~$ cat allowed.userlist
aron
pwnmeow
egotisticalsw
admin
wecesure1337@kali:~$ cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd

Seeing the files brings us to

TASK 5What is one of the higher-privilege sounding usernames in the list we retrieved?
admin

Go to your teminal and follow the steps

wesecure1337@kali:~$ nmap -sV -p80 10.129.97.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 17:18 IST
Nmap scan report for 10.129.97.148
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds

From the result we conclude that

TASK 6What version of Apache HTTP Server is running on the target host?
2.4.41

wappalyzer is a tool which can be installed as a plugin in the browser for analysing the websites

TASK 7What is the name of a handy web site analysis plug-in we can install in our browser?
Wappalyzer

From the help menu of gobuster we know that -x is used to specify the specific filetype

TASK 8What switch can we use with gobuster to specify we are looking for specific filetypes?
-x

By using gobuster we have found a directory login.php.

TASK 9What file have we found that can provide us a foothold on the target?
login.php

So let’s navigate to it

Crocodile Starting Point HackTheBox Walkthrough
Crocodile Starting Point HackTheBox Walkthrough

Now login with username admin and password as rKXM59ESxesUFHAd , which we have retrieved from the ftp server.

Crocodile Starting Point HackTheBox Walkthrough
Crocodile Starting Point HackTheBox Walkthrough

And finally we have successfully found the flag for this challenge.

SUBMIT FLAGSubmit root flag
c7110277ac44d78b6a9fff2232434d16

Voila!!! We have successfully solved the Crocodile Starting Point Challenge by HackTheBox. If you really enjoyed reading the Writeup[Walkthrough], then do checkout out other articles.

Let’s get connected

Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec

If you want to appreciate and support my work here you go…

Thanks for Reading!!!

--

--