HTB: Crocodile Walkthrough

Writeup — Crocodile By Araiz Naqvi

Prepared By Araiz Naqvi.

Overview

- Difficulty: Easy
- Operating System: Linux
- Objective: Find a way to break in.
- Tools Used: nmap, FTP, curl, gobuster

I tend to start enumerating as much basic information as I need before dwelving deeper.

Performing Nmap Scans

As usual the very first step is to figure out what ports and hence what services are actually open. This will set the stage for how we will try to break in.
Let’s start with a stealth scan with disabled arp pings to figure out what ports are open:

It is clear that the following ports are open:
- 21 ~ FTP
- 80 ~ HTTP

Now, let’s move further and scan for service versions and run the default scripts on these three ports:

From this I interpreted the following information:
- FTP runs on 21 exposing a ProFTPD server which allows for anonymous login
- This FTP server is also giving unrestricted access to two what seem to be important files holding credentials.
- HTTP runs on 80 exposing an Apache httpd 2.4.41 server, confirms the use of Ubuntu and hints to presence of a webpage.

Let’s move on to grabbing banners to see if something comes up.

Banner Grabbing

Let’s call back for some banners, you never know they sometimes come back with some really important information and confirm service versions used.

For HTTP first I used nc but did not come back with anything, so I usecurl with the -IL flag where -I fetches only the HTTP Headers and -L allows curl to redirect if returned with say The website has been redirected to x.

Confirms all data from the Nmap scans.
Apart from that nothing very special.

Gobuster Directory Enumeration

While I browse through the webpage, I wish to run gobuster dir enumerations running so if I hit a dead-end I might have something to work against.

Next up, I did some gobuster enumeration.
First, I used the text file from secslist called common.txt as:

Clearly, nothing came up.
Secondly, I used another text file this time specifically targetingPHP directories:

As seen, login.php is available to check out!

Logging into FTP

As we had found earlier, FTP is allowing anonymous login.
So, let’s try that:

and, we’re in!
Let’s enumerate content:

Let’s download both of these using the get command:

Let’s exit and read the files we just found:

Clearly, it looks like usernames and passwords as:
- aron:root
- pwnmeow:Supersecretpassword1
- egotisticalsw:@BaASD&9032123sADS
- admin:rKXM59ESxesUFHAd

Let’s return to the browser and login using these creds, most importantly i’m going to use admin:



Comments

Post a Comment

Popular posts from this blog

HTB: Nibbles Walkthrough

Image
  Writeup — Nibbles By Araiz Naqvi Overview Difficulty: Easy - Operating System: Linux - Objective: Understand potential breaking points in nibble machine. - Tools Used: nmap , nc , whatweb , searchsploit , metasploit , gobuster , SecsList , linpeas Prepared by Araiz Naqvi Starting Enumeration with Nmap The very first step is to get an idea of the open ports and services running. To do this we will start with nmap scans: Nmap Scanning for open ports Here, two ports are open, SSH and HTTP which also show that the target is running Linux Ubuntu 2.2 version and an Apache httpd 2.4.18 server. But, before we go deeper into these open ports, let’s run an all ports TCP scan and leave it in the background cause usually it takes forever to happen. Leaving the everlong TCP all port scan in the background I actually did some banner grabbing in the meanwhile, but for consistency sake, I also immediately did a few other nmap scans to try and get as much information as p...
Read more

HTB: Cap Walkthrough

Image
  Writeup — Cap By Araiz Naqvi Overview - Difficulty: Easy - Operating System: Linux - Objective: Capture User and Root flag. - Tools Used: nmap , ftp , sshclient , whatweb , gunicorn , wireshark , openvpn , python3 If you’re unable to view it fully due to Medium Subscriptions, you can view it at  Nmap Scanning As in most times the first step is to scan the target IP to check for open ports and service and service versions running on them: Nmap Scan As can be seen the services running are FTP , SSH and HTTP . Also, Linux seems to be running on the target. Trying Logging in FTP and SSH Let’s try to use anonymous login for FTP : FTP Login Attempt Does not allow anonymous login. Similarly, even SSH was not accepting common usernames and passwords. Clearly, I might find credentials somewhere. This is really valuable information, but let’s still get information on other aspects of the target. Let’s continue by Web Fingerprinting . Enumerating Web Fingerprint ...
Read more