[HTB] Crocodile

2024-07-13

What Nmap scanning switch employs the use of default scripts during a scan?

-sC

What service version is found to be running on port 21?

vsftpd 3.0.3

 1┌──(kali㉿kali)-[~/Desktop]
 2└─$ nmap -sC -sV 10.129.60.250
 3Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 00:54 EDT
 4Nmap scan report for 10.129.60.250
 5Host is up (0.034s latency).
 6Not shown: 998 closed tcp ports (conn-refused)
 7PORT   STATE SERVICE VERSION
 821/tcp open  ftp     vsftpd 3.0.3
 9| ftp-syst:
10|   STAT:
11| FTP server status:
12|      Connected to ::ffff:10.10.14.28
13|      Logged in as ftp
14|      TYPE: ASCII
15|      No session bandwidth limit
16|      Session timeout in seconds is 300
17|      Control connection is plain text
18|      Data connections will be plain text
19|      At session startup, client count was 1
20|      vsFTPd 3.0.3 - secure, fast, stable
21|_End of status
22| ftp-anon: Anonymous FTP login allowed (FTP code 230)
23| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
24|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
2580/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
26|_http-title: Smash - Bootstrap Business Template
27|_http-server-header: Apache/2.4.41 (Ubuntu)
28Service Info: OS: Unix
29
30Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
31Nmap done: 1 IP address (1 host up) scanned in 8.08 seconds

alt text

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

anonymous

alt text

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?

get

alt text

What is one of the higher-privilege sounding usernames in `allowed.userlist` that we download from the FTP server?

admin

 1┌──(kali㉿kali)-[~/Desktop]
 2└─$ ls
 3allowed.userlist  allowed.userlist.passwd  hash-id.py  ntlm_1605054722641.txt  openvpn  pico
 4
 5┌──(kali㉿kali)-[~/Desktop]
 6└─$ cat allowed.userlist
 7aron
 8pwnmeow
 9egotisticalsw
10admin

What version of Apache HTTP Server is running on the target host?

Apache httpd 2.4.41

alt text

What switch can we use with Gobuster to specify we are looking for specific filetypes?

-x

gobuster dir --help revealed the -x option.

alt text

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

login.php

The following command revealed PHP files with dirbuster on the target host. gobuster dir -u http://10.129.60.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

-u: url

-w: wordlist

-x: file types to look for

 1┌──(kali㉿kali)-[~/Desktop]
 2└─$ gobuster dir -u http://10.129.60.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
 3
 4===============================================================
 5Gobuster v3.6
 6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
 7===============================================================
 8[+] Url: http://10.129.60.250
 9[+] Method: GET
10[+] Threads: 10
11[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
12[+] Negative Status codes: 404
13[+] User Agent: gobuster/3.6
14[+] Extensions: php
15[+] Timeout: 10s
16===============================================================
17Starting gobuster in directory enumeration mode
18===============================================================
19/.php (Status: 403) [Size: 278]
20/login.php (Status: 200) [Size: 1577]
21/assets (Status: 301) [Size: 315] [--> http://10.129.60.250/assets/]
22/css (Status: 301) [Size: 312] [--> http://10.129.60.250/css/]
23/js (Status: 301) [Size: 311] [--> http://10.129.60.250/js/]
24/logout.php (Status: 302) [Size: 0] [--> login.php]
25/config.php (Status: 200) [Size: 0]
26/fonts (Status: 301) [Size: 314] [--> http://10.129.60.250/fonts/]
27/dashboard (Status: 301) [Size: 318] [--> http://10.129.60.250/dashboard/]

Submit root flag

c7110277ac44d78b6a9fff2232434d16

From the earlier task, we downloaded two files from the ftp server:

allowed.userlist
allowed.userlist.passwd

and we confirmed there was the username, admin. As you can see from the passwd file, the password for admin is rKXM59ESxesUFHAd.

alt text

From the gobuster output, we revealed there was /login.php page, so I navigated to the page and entered the credentials we had found from the ftp server and finally found the flag.

alt text

#Hack The Box

What Nmap scanning switch employs the use of default scripts during a scan?

What service version is found to be running on port 21?

What FTP code is returned to us for the “Anonymous FTP login allowed message?”

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?

What is one of the higher-privilege sounding usernames in allowed.userlist that we download from the FTP server?

What version of Apache HTTP Server is running on the target host?

What switch can we use with Gobuster to specify we are looking for specific filetypes?

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

Submit root flag

What is one of the higher-privilege sounding usernames in `allowed.userlist` that we download from the FTP server?