Crocodile

Enumeration

As usual, let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of the target machine (Crocodile)

Port 21 is open which is FTP (File Transfer Protocol)

Notice the line ftp-anom: Anonymous FTP login allowed (FTP code 230)

Let's try it!

ftp 10.129.203.194

Type

anonymous

Press enter

It worked! We are in as anonymous! And we were not even asked for a password!

Type ls to list the files

We can see we have 2 files that seem interesting.

Let's download these files onto our machine by using the get command:

get allowed.userlist

get allowed.userlist.passwd

Now if you open your home folder, you will see these 2 files have been downloaded on your machine:

Let's open allowed.userslist :

Looks like a list of usernames!

Let's open allowed.userlist.paswd

Looks like these are the password for all the allowed users found in the first file!

So it looks like we now have the password for the account admin !

The password is rKXM59ESxesUFHAd

When we did our nmap earlier, we noticed that port 80 is open. From our VM, let's open our browser, and type the IP for our target machine (Crocodile) into our url search bar and press enter:

Now let's use gobuster to find any hidden directories:

gobuster dir -u 10.129.203.194 -w /usr/share/dirb/wordlists/common.txt -x .php

-x .php is added at the end to look for any files with .php extension too

Gobuster found /login.php

That's interesting, we might be able to use the credentials we just found.

Open your browser again and type the following in the url bar:

10.129.203.194/login.php

We get a login page:

Let's try to login with the username and password we just found

username : admin

password: rKXM59ESxesUFHAd

The flag is right there!

Congratulations! You got your flag!