# Crocodile **Task 1** What Nmap scanning switch employs the use of default scripts during a scan? **Answer:** * The answer is "-sC" **Task 2** What service version is found to be running on port 21? **Answer:** * Run the following: ``` nmap -sC -p 21 [IP] ``` * The answer is "vsFTPd 3.0.3" **Task 3** What FTP code is returned to us for the "Anonymous FTP login allowed" message? **Answer:** * Run the following to make sure ftp is installed: ``` sudo apt update sudo apt install ftp ``` * Then run the following to connect to the ftp server: ``` ftp -p [IP] ``` * I then logged in as "anonymous" * This returned a "230" code **Task 4** After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously? **Answer:** * Use the username "anonymous" **Task 5** After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server? **Answer:** * Use the following: ``` get [file.name] ``` **Task 6** What is one of the higher-privilege sounding usernames in 'allowed.userlist' that we download from the FTP server? **Answer:** * Run the following: ``` ls # List the files on the ftp service get allowed.userlist # Download the file ``` * On your system run the following from the directory that you downloaded the userlist file: ``` cat allowed.userlist ``` * This display the userlist names and "admin" seems the highest privilege name on there **Task 7** What version of Apache HTTP Server is running on the target host? **Answer:** * Run the following on your machine to scan the target machine's port 80 which typically services http: ``` nmap -sV -p 80 [IP] ``` * This give you the version name for the apache server "Apache httpd 2.4.41" **Task 8** What switch can we use with Gobuster to specify we are looking for specific filetypes? **Answer:** * Run the following from your machine ``` gobuster dir -h ``` * This will show all of the flag options in respect to the dir mode of gobuster * The answer is "-x" **Task 9** Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service? **Answer:** * Run the following: ``` gobuster dir -x php -u http://[IP]/ -w /usr/share/dirb/wordlists/common.txt ``` * This gives me multiple subdomains. The answer is "login.php" **Find the Flag:** * Start by going back to the ftp server that is open. * After you log into the server through the "anonymous" account again, there are two files that you can list out (ls). * Use the following commands to view the files on the ftp server, download them, and then cat them on your system ``` ls # View the files on the ftp server get allowed.userlist get allowed.userlist.passwd cat allowed.userlist cat allowed.userlist.passwd ``` * You'll notice that the first file is the usernames and the second one is the passwords associated to the usernames. * Open a web browser on your machine and go to the \[IP]/login.php * Use the credentials for the admin * admin:rKXM59ESxesUFHAd * The flag will be on the page after you login into admin, "c7110277ac44d78b6a9fff2232434d16"