Crocodile

Task 1

What Nmap scanning switch employs the use of default scripts during a scan?

Answer:

  • The answer is "-sC"

Task 2

What service version is found to be running on port 21?

Answer:

  • Run the following:

nmap -sC -p 21 [IP]

  • The answer is "vsFTPd 3.0.3"

Task 3

What FTP code is returned to us for the "Anonymous FTP login allowed" message?

Answer:

  • Run the following to make sure ftp is installed:

sudo apt update
sudo apt install ftp

  • Then run the following to connect to the ftp server:

ftp -p [IP]

  • I then logged in as "anonymous"

  • This returned a "230" code

Task 4

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

Answer:

  • Use the username "anonymous"

Task 5

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?

Answer:

  • Use the following:

get [file.name]

Task 6

What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server?

Answer:

  • Run the following:

ls # List the files on the ftp service
get allowed.userlist # Download the file

  • On your system run the following from the directory that you downloaded the userlist file:

cat allowed.userlist

  • This display the userlist names and "admin" seems the highest privilege name on there

Task 7

What version of Apache HTTP Server is running on the target host?

Answer:

  • Run the following on your machine to scan the target machine's port 80 which typically services http:

nmap -sV -p 80 [IP]

  • This give you the version name for the apache server "Apache httpd 2.4.41"

Task 8

What switch can we use with Gobuster to specify we are looking for specific filetypes?

Answer:

  • Run the following from your machine

gobuster dir -h

  • This will show all of the flag options in respect to the dir mode of gobuster

  • The answer is "-x"

Task 9

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

Answer:

  • Run the following:

gobuster dir -x php -u http://[IP]/ -w /usr/share/dirb/wordlists/common.txt

  • This gives me multiple subdomains. The answer is "login.php"

Find the Flag:

  • Start by going back to the ftp server that is open.

  • After you log into the server through the "anonymous" account again, there are two files that you can list out (ls).

  • Use the following commands to view the files on the ftp server, download them, and then cat them on your system

ls # View the files on the ftp server
get allowed.userlist
get allowed.userlist.passwd
cat allowed.userlist
cat allowed.userlist.passwd

  • You'll notice that the first file is the usernames and the second one is the passwords associated to the usernames.

  • Open a web browser on your machine and go to the [IP]/login.php

  • Use the credentials for the admin

  • admin:rKXM59ESxesUFHAd

  • The flag will be on the page after you login into admin, "c7110277ac44d78b6a9fff2232434d16"

PreviousSequelNextResponder

Last updated