Crocodile Writeup

Continuing with the Tier 1 boxes on Starting Point. Moving forward there will be a slight adjustment on how posts will be made. Instead of compiling multiple writeups into a single post, each writeup will have its own post. Next up is Crocodile.


Recon

Started with the basic nmap scan.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Crodile]
└─$ sudo nmap -sC -sV -oA nmap/initial $tgt
[sudo] password for crimson: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-18 19:50 CDT
Nmap scan report for 10.129.83.170
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.12
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.89 seconds

There are two ports open – 21 running FTP and 80 running a web server. FTP seems the most lucrative given what we see on the nmap scan.

FTP

Connected to the FTP server with an anonymous login. Downloaded both files since they have interesting filenames.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Crodile]
└─$ ftp $tgt
Connected to 10.129.83.170.
220 (vsFTPd 3.0.3)
Name (10.129.83.170:crimson): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||44742|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
226 Directory send OK.
ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||44451|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |**********************************************************************|    33        7.24 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.60 KiB/s)
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||40171|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |**********************************************************************|    62        1.47 MiB/s    00:00 ETA
226 Transfer complete.
62 bytes received in 00:00 (1.20 KiB/s)
ftp> exit
221 Goodbye.

The files contained usernames and passwords as we might assume. Let’s see what is running on port 80.

HTTP

Before navigating to the web server, let’s start some recon in the background.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Crodile]
└─$ gobuster dir -u $tgt -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x html -o gobuster.root
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.83.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html
[+] Timeout:                 10s
===============================================================
2022/05/18 20:07:50 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/.html.html           (Status: 403) [Size: 278]
/js                   (Status: 301) [Size: 311] [--> http://10.129.83.170/js/]
/index.html           (Status: 200) [Size: 58565]                             
/css                  (Status: 301) [Size: 312] [--> http://10.129.83.170/css/]
/.htm.html            (Status: 403) [Size: 278]                                
/.htm                 (Status: 403) [Size: 278]                                
/assets               (Status: 301) [Size: 315] [--> http://10.129.83.170/assets/]
/.                    (Status: 200) [Size: 58565]                                 
/fonts                (Status: 301) [Size: 314] [--> http://10.129.83.170/fonts/] 
/.htaccess            (Status: 403) [Size: 278]                                   
/.htaccess.html       (Status: 403) [Size: 278]                                   
/dashboard            (Status: 301) [Size: 318] [--> http://10.129.83.170/dashboard/]

Navigating to the webpage did not show anything of interest. But gobuster shows an a directory named dashboard so let’s navigate to that. We are greeted with a login page. What a coincidence that we just found a list of username and passwords.