概要
HackTheBox:Crocodileのflagを入手する手順を記す。
Port Scan
$ nmap -A -sV crocodile.htb --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-15 23:11 EDT
Nmap scan report for crocodile.htb (10.129.224.242)
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.43
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.59 seconds
Anonymous FTPとHTTPが提供されていることが分かる。
FTP
anonymousとしてftpを接続してみる。
$ ftp crocodile.htb
Connected to crocodile.htb.
220 (vsFTPd 3.0.3)
Name (crocodile.htb:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||40683|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
226 Directory send OK.
ftp> get allowed.userlist
local: allowed.userlist remote: allowed.userlist
229 Entering Extended Passive Mode (|||44765|)
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
100% |**********************************************************************| 33 37.55 KiB/s 00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.12 KiB/s)
ftp> get allowed.userlist.passwd
local: allowed.userlist.passwd remote: allowed.userlist.passwd
229 Entering Extended Passive Mode (|||40234|)
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
100% |**********************************************************************| 62 193.44 KiB/s 00:00 ETA
226 Transfer complete.
62 bytes received in 00:00 (0.24 KiB/s)
ftp>
以下のファイルが手に入る。
$ cat allowed.userlist
aron
pwnmeow
egotisticalsw
admin
$ cat allowed.userlist.passwd
root
Supersecretpassword1
@BaASD&9032123sADS
rKXM59ESxesUFHAd
HTTP
http://crocodile.htb にアクセスするが目ぼしいものは見つけられない。
ディレクトリ探索
$ gobuster dir -u http://crocodile.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://crocodile.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/15 23:21:14 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/assets (Status: 301) [Size: 315] [--> http://crocodile.htb/assets/]
/css (Status: 301) [Size: 312] [--> http://crocodile.htb/css/]
/dashboard (Status: 301) [Size: 318] [--> http://crocodile.htb/dashboard/]
/fonts (Status: 301) [Size: 314] [--> http://crocodile.htb/fonts/]
/index.html (Status: 200) [Size: 58565]
/js (Status: 301) [Size: 311] [--> http://crocodile.htb/js/]
/server-status (Status: 403) [Size: 278]
/dashboardが見つかった。
/dashboardにアクセス
/dashboardにアクセスすると/login.phpにリダイレクトされる。
ここでuserlistとpasswdを使ってログインを試行する。
結果的にadmin:rKXM59ESxesUFHAdでログインは成功する。
ログイン後画面にflagが表示される。
以上