Hack the Box – Crocodile

# Information:

Platform Name: Hack the Box

Machine Challenge: Crocodile

Machine Status: Starting Point

Challenge Level: Very Easy

# Used Tools:

• Linux
• nmap
• ftp

# Challenge Description:

This challenge has a list of questions that need to be answered in order to retrieve the flag. We will answer every question.

# Writeup:

Task 1:

“What Nmap scanning switch employs the use of default scripts during a scan?“

Answer: The switch is -sC.

To know the answer to this question I entered the following command on the terminal:

man nmap

The command above, is the manual that helps us to use the nmap and you can see in the image below that the “-sC” switch employs the use of default scripts.

Task 2:

“What service version is found to be running on port 21?“

Answer: The service version running on port 21 is vsftpd 3.0.3.

I performed an nmap scan (as you can see in the image below), and you have there a lot of information about this port.

Task 3:

“What FTP code is returned to us for the “Anonymous FTP login allowed” message?“

Answer: The code is 230.

You can see in image 2 that a ftp login is allowed and that the username is “Anonymous”. So, I tried to login via ftp with the following command:

ftp <your_IP_here>

You can see the output in the image below:

As you can see, the code that states that the login was allowed/successful is the 230 code.

Task 4:

“After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?“

Answer: The username is anonymous.

You can see this in image 3 where it says “Name (10.129.1.15:sobatista): Anonymous“.

Task 5:

“After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?“

Answer: The command is get.

I used, once again, the manual of ftp to answer to this question.

But before you can download the files, you need to know what files do exist. For that you can use the command “ls”. This command will list all the existing files and directories in the current directory. You can see the output of the command “ls” in the image below:

As you can see in the image above, we have 2 files. One is a list of users and the other is the user’s passwords. So, we know that these 2 files are important and we will download these 2 files.

But before we proceed to the download, we can choose to where the files will be downloaded. to do that you can use the following command:

lcd /path/to/the/directory/where/you/want/the/files

Note that you don’t need to do choose to where the files will be downloaded but if you don’t choose, the files will be downloaded to your home directory (you can see this information in the ftp manual).

You can see how I used the command above in the image below:

Now that we specified the directory to where the files will be downloaded, we can just download the files using the command that is the answer to this task. You can see this below:

After downloading the files, I opened both like so:

You can see the usernames of the users and the passwords.

Task 6:

“What is one of the higher-privilege sounding usernames in ‘allowed.userlist’ that we download from the FTP server?“

Answer: The higher-privilege sounding username is admin.

If you do a quick search on google, you will see that root and admin are the ones with higher-privilege. But since we just have the username admin in our list, admin is the one you go for.

Task 7:

“What version of Apache HTTP Server is running on the target host?“

Answer: The version is Apache httpd 2.4.41.

We know this because of our nmap scan (that you can see in image 2 ). The nmap scan, also gives us the information that we have a webpage. To see that webpage you just need to google:

http://<your_IP_here>

Here it is the output:

Note: If you couldn’t access the webpage, you should go to your “hosts” file and add the target machine IP

Task 8:

“What switch can we use with Gobuster to specify we are looking for specific filetypes?“

Answer: The switch is -x.

Task 9:

“Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?“

Answer: The file is login.php.

After knowing that we want a php file, I performed a directory brute force with gobuster and used the switch “-x” to tell gobuster that I was looking for php files. I did this with the following command:

gobuster dir -u http://<your_IP_here> -w /path/to/the/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

The output was the following:

As you can see in the image above, the php file that will provide us the opportunity to authenticate to the web service is the “login.php” file.

So, I appended the file to the URL like so:

http://<your_IP_here>/login.php

The output was the following:

We now can try to login using as username “admin” and as password we can try every password that is in image 8. However, we can assume that the first username belongs to the first password and so on.

So, the password that belongs to the username admin is: rKXM59ESxesUFHAd

After doing login we can retrieve the flag, as you can see:

Submit root flag:

Thank you very much for reading!

Cheers,

SoBatista

Author Profile

SoBatista

Related Posts

• SoBatista

  https://mregraoncyber.com/author/sobatista/

  Hack the Box - Three
• SoBatista

  https://mregraoncyber.com/author/sobatista/

  Hack the Box - Responder
• SoBatista

  https://mregraoncyber.com/author/sobatista/

  Hack the Box - Sequel
• SoBatista

  https://mregraoncyber.com/author/sobatista/

  PicoCTF Writeup - Flags