Crocodile (Tier 1)

Description

• Tier -> 1

• Difficult -> Very Easy

• OS -> Linux

• Tags -> Custom Applications / Protocols / Apache / FTP / Reconnaissance / Web Site Structure Discovery / Clear Text Credentials / Anonymous-Guest Access

https://app.hackthebox.com/starting-point?tier=1

Write-up

• With some research, I started answering the first question

Answer: -sC

---

• After this, I did an initial port scan using Nmap

nmap -p- -Pn --min-rate 2000 10.129.1.15

---

• Then I did an exhaustive scan to get information about the services running on the open ports

nmap -p21,80 -sVC 10.129.1.15

---

• With this, I answered the next question

Answer: vsftpd 3.0.3

---

• I found the FTP protocol running on its default port, so I tried connecting to it. As I didn't have any credentials I tried using the anonymous user and it let me in successfully

To learn more about the FTP protocol you can go here

---

• With that and a little research, I answered the next questions

Answer: 230

---

Answer: anonymous

---

Answer: get

---

• Once I had access, I listed the contents being shared on the server and found 2 files that seemed to be users' data. So I downloaded both of the files and then closed the connection

ls
mget *
exit

---

• I checked the content of both files and found what seemed to be a list of usernames and a list of related passwords

cat allowed.userlist allowed.userlist.passwd

---

• With this, a little research, and the previous information obtained from the scans, I answered the next questions

Answer: admin

---

Answer: apache httpd 2.4.41

---

Answer: -x

---

• With this information, I could check if these credentials work on the FTP service. But after trying all the usernames it notified me that it only allows anonymous connections

---

• So I decided to check the other running service. It was an HTTP on port 80, so I went to the browser to look at the content being deployed. I found a dashboard for the services of a company where any of the buttons seemed to work

To learn more about the HTTP protocol you can go here

---

• After exploring the sections of the page I noticed the unique different thing was a form in the contact section which didn't seem to be working properly. To get some extra information about the components of the website, I used the Wappalyzer extension but didn't give me anything relevant

---

• As I didn't find anything interesting in the first instance, I tried to fuzz the page using Gobuster and a dictionary. Also as I knew the page was written on PHP thanks to Wappalyzer I specified this on the fuzzing options

gobuster dir -u -w http://10.129.1.15/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -x php,html

---

• The fuzz gave me some interesting directions, being one of those the /login.php page, so I visited this direction and found a simple login page

---

• With that, I answered the next question

Answer: login.php

---

• Once there, I tried using again the credentials found in the previous lists, combining the usernames with the passwords, and by using the username root and the password rKXM59ESxesUFHAd I gained access to an administration panel where a message with the flag was displayed

---

• With this, I got the root flag and pwned the machine

Answer: c7110277ac44d78b6a9fff2232434d16