Crocodile (Tier 1)

Description

  • Tier -> 1

  • Difficult -> Very Easy

  • OS -> Linux

  • Tags -> Custom Applications / Protocols / Apache / FTP / Reconnaissance / Web Site Structure Discovery / Clear Text Credentials / Anonymous-Guest Access

https://app.hackthebox.com/starting-point?tier=1

Write-up

  • With some research, I started answering the first question

Answer: -sC

  • After this, I did an initial port scan using Nmap

nmap -p- -Pn --min-rate 2000 10.129.1.15

  • Then I did an exhaustive scan to get information about the services running on the open ports

nmap -p21,80 -sVC 10.129.1.15

  • With this, I answered the next question

Answer: vsftpd 3.0.3

  • I found the FTP protocol running on its default port, so I tried connecting to it. As I didn't have any credentials I tried using the anonymous user and it let me in successfully

To learn more about the FTP protocol you can go here

  • With that and a little research, I answered the next questions

Answer: 230

Answer: anonymous

Answer: get

  • Once I had access, I listed the contents being shared on the server and found 2 files that seemed to be users' data. So I downloaded both of the files and then closed the connection

ls
mget *
exit

  • I checked the content of both files and found what seemed to be a list of usernames and a list of related passwords

cat allowed.userlist allowed.userlist.passwd

  • With this, a little research, and the previous information obtained from the scans, I answered the next questions

Answer: admin

Answer: apache httpd 2.4.41

Answer: -x

  • With this information, I could check if these credentials work on the FTP service. But after trying all the usernames it notified me that it only allows anonymous connections

  • So I decided to check the other running service. It was an HTTP on port 80, so I went to the browser to look at the content being deployed. I found a dashboard for the services of a company where any of the buttons seemed to work

To learn more about the HTTP protocol you can go here

  • After exploring the sections of the page I noticed the unique different thing was a form in the contact section which didn't seem to be working properly. To get some extra information about the components of the website, I used the Wappalyzer extension but didn't give me anything relevant

  • As I didn't find anything interesting in the first instance, I tried to fuzz the page using Gobuster and a dictionary. Also as I knew the page was written on PHP thanks to Wappalyzer I specified this on the fuzzing options

gobuster dir -u -w http://10.129.1.15/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -x php,html

  • The fuzz gave me some interesting directions, being one of those the /login.php page, so I visited this direction and found a simple login page

  • With that, I answered the next question

Answer: login.php

  • Once there, I tried using again the credentials found in the previous lists, combining the usernames with the passwords, and by using the username root and the password rKXM59ESxesUFHAd I gained access to an administration panel where a message with the flag was displayed

  • With this, I got the root flag and pwned the machine

Answer: c7110277ac44d78b6a9fff2232434d16

PreviousSequel (Tier 1)NextResponder (Tier 1)

Last updated