Table of Contents
Crocodile is another starting point vulnerable machine that contains a misconfigured service that leaks information that might allow you to impersonate the digital identity of a victim.
Tackling an example sewed together from two other previous targets, we will be looking at an insecure access configuration on FTP and an administrative login for a website. Let us proceed to deconstruct this vector and analyze its components.
Enumeration
We will start by enumerating the target. Our first step is, as always, a thorough n map scan. By using the following two switches for the scan, we ensure that our n map script analyses the service being run on any port found in the open state and returns a mostly exact service version value in the output and that all of the default analysis scripts are run against the target, as we are not constrained on how intrusive we can be with our scan. Running the scan as mentioned, we can receive results as seen below, with snippets of directories the scan has even found for us!
- -sC: performs a script scan using the default set of scripts. It is equivalent to --script=default . Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
- -sV: Enables version detection, which will detect what versions are running on what port.
We have two open ports, which are 21 and 80.
How a Hacker Attempts to Log in Using Credential Stuffing and Brute Force Attacks
This article delves into the techniques hackers use to attempt unauthorized login into systems using credential stuffing and brute force attacks. It provides insights into the methods employed by attackers and offers guidance on how organizations can defend against such threats.
Using the FTP Client tool
Users could connect to the FTP server anonymously if the server is configured to allow it, meaning that we could use it even if we had no valid credentials. If we look back at our Nmap scan result, the FTP server is indeed configured to allow anonymous login.
To connect to the remote FTP server, you need to specify the target's IP address (or hostname), as displayed on the Starting Point lab page. The prompt will then ask us for our login credentials, which is where we can fill in the anonymous username. In our case, the FTP server does not request a password, and inputting the anonymous username proves enough for us to receive the 230 code, and Login in successfully.
We will use ls and get to list the directories and manipulate the files stored on the FTP server. With the ls command, we can check the contents of our current directory on the remote host, where two interesting files catch our attention. They seem to be files left over from the configuration of another service on the host, most likely the HTTPd Web Server. Their names are descriptive, hinting towards a possible username list and associated passwords.
Both files can easily be downloaded using the get command. The FTP service will report the download status completion back to you during this phase. It should not take long to have them both sitting snuggly on your attacking VM.
Termination of the FTP connection can be done by using the bye command. This will return the current terminal tab to its' previous state.
Immediately after exiting the FTP service shell, we can type in the ls command to check if our files are present in the directory we were last positioned in. In order to read their contents and discover usernames and passwords within, we can use the cat command, followed by the name of the file we want to open.
Foothold
After the credentials have been obtained, the next step is to check if they are used on the FTP service for elevated access or the webserver running on port 80 discovered during the Nmap scan. Attempting to log in with any of the credentials on the FTP server returns error code 530 This FTP server is anonymous only. No luck here, so we can exit the FTP service shell.
However, we have one option left. During the Nmap scan, the service running on port 80 was reported as Apache httpd 2.4.41, an Apache HTTP server. Typing in the IP address of the target into our browser's URL search bar results in this webpage. It seems to be a storefront for a server hosting company.
Reading about the target is helpful, but only at a surface level. In order to gain more insight into the technology they have used to create their website and possibly find any associated vulnerabilities, we can use a handy browser plug-in called Wappalyzer.
Using Wappalyzer
This plug-in analyzes the web page's code and returns all the different technologies used to build it, such as the webserver type, JavaScript libraries, programming languages, and more.
If you are a Chrome user (Click here). If you are a Firefox user (click here).
Once installed, you can access Wappalyzer by pressing on its icon at the top right of the browser window. Below are the results for our current target.
From the output of Wappalyzer, we can note some of the more interesting items, specifically the PHP programming language used to build the web page. However, nothing gives us a direct plan of attack for now. Meanwhile, navigating around the page using the tabs and buttons provided on it leads us nowhere. Referencing previous write-ups, there is mention of a different, more direct way of navigating any hidden or hardly accessible directories and pages, and that is through dir busting.
Using Gobuster
Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.
- dir : Uses directory/file enumeration mode.
- -u : The target URL.
- -w : Path to the wordlist.
- -x : File extension(s) to search for.
For the -x switch, we can specify PHP and HTML to filter out all the unnecessary clutter that does not interest us.
PHP and HTML files will most commonly be pages. We might get lucky and find an administrative panel login page that could help us find leverage against the target in combination with the credentials we extracted from the FTP server.
One of the most interesting files gobuster retrieved is the /login.php page. Navigating manually to the URL, in the form of http://10.129.57.249/login.php, we are met with a login page asking for a username/password combination.
If the lists of credentials we found had been longer, we could have used a Metasploit module or a login brute-force script to run through combinations from both lists faster than manual labor. In this case, however, the lists are relatively small, allowing us to attempt logging in manually.
Task Answers
TASK 1: What nmap scanning switch employs the use of default scripts during a scan?
Ans. -sCTASK 2: What service version is found to be running on port 21?
Ans. vsftpd 3.0.3TASK 3: What FTP code is returned to us for the "Anonymous FTP login allowed" message?
Ans. 230TASK 4: What command can we use to download the files we find on the FTP server?
Ans. getTASK 5: What is one of the higher-privilege-sounding usernames in the list we retrieved?
Ans. adminTASK 6: What version of Apache HTTP Server is running on the target host?
Ans. 2.4.41TASK 7: What is the name of a handy website analysis plug-in we can install in our browser?
Ans. WappalyzerTASK 8: What switch can we use with gobuster to specify we are looking for specific file types?
Ans. -xTASK 9: What file have we found that can provide us a foothold on the target?
Ans. login.php