Machine / Machines

Crocodile

By Jennofrie Daguil · Cybersecurity and Red Team Operator

FTP Anonymous Access → Credential Lists → Web Admin Login → Flag 1. Anonymous FTP is a goldmine — Always check for anonymous access and download everything. 2. Positional pairing — When you find parallel user/password lists, pair them by line number. 3....

EasyPublished 2025-12-16Sanitized local writeup

Scenario

Crocodile attack path

FTP Anonymous Access → Credential Lists → Web Admin Login → proof 1. Anonymous FTP is a goldmine — Always check for anonymous access and download everything. 2. Positional pairing — When you find parallel user/credential lists, pair them by line number. 3....

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Crocodile sanitized attack graph

Walkthrough flow

01

FTP anonymous = credential list download

02

Web login at /login.php

03

Users line up with (positional): admin =...

04

Attack path: FTP anon → creds → web login → proof

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

52% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Crocodile/walkthrough.md
  • HTB/<TARGET>-Crocodile/notes.md

Technical Walkthrough

Crocodile — Walkthrough

Machine Info

FieldValue
NameCrocodile
IP<TARGET>
OSLinux
DifficultyEasy (Starting Point)
ServicesFTP (21), HTTP (80)

Attack Chain Summary

FTP Anonymous Access → Credential Lists → Web Admin Login → Flag

Lessons Learned

  1. Anonymous FTP is a goldmine — Always check for anonymous access and download everything.
  2. Positional pairing — When you find parallel user/password lists, pair them by line number.
  3. Credential reuse — Always try discovered credentials against all auth surfaces (web, SSH, etc.).
  4. Easy boxes follow patterns — Two-service combo (info leak + auth target) is the classic Starting Point formula.

Time to Solve

~5 minutes (automated), estimated manual: 10-15 minutes.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target IP: <TARGET>
  • Attacker VPN IP: <TARGET>
  • Pwnbox: x08@<TARGET>
  • Difficulty: Easy
  • OS: Linux
  • Started: 2026-05-05
  • Completed: 2026-05-05

Hypothesis (Confirmed)

FTP anonymous access leaks credential lists, use them on web login page.

Phase 0: Setup

  • [x] Pwnbox SSH connectivity -- OK
  • [x] Target reachability -- OK (TTL=63, Linux confirmed)

Phase 1: Recon

Open Ports

PortServiceVersion
21FTPvsftpd 3.0.3 (anonymous login allowed)
80HTTPApache 2.4.41 (Ubuntu)

FTP Findings

  • Anonymous login allowed
  • Files: allowed.userlist, allowed.userlist.passwd
  • Users: aron, pwnmeow, egotisticalsw, admin
  • <password redacted>: root, <password redacted>, @BaASD&9032123sADS, rKXM59ESxesUFHAd

HTTP Findings

  • Bootstrap business template ("Smash")
  • /login.php — PHP login form (fields: Username, Password)
  • /dashboard/ — admin dashboard (post-auth)
  • /config.php — empty (0 bytes)
  • /logout.php — redirects to login.php

Phase 3: Synthesis

  1. FTP anonymous = credential list download
  2. Web login at /login.php
  3. Users line up with <password redacted> (positional): admin = rKXM59ESxesUFHAd
  4. Attack path: FTP anon → creds → web login → flag

Phase 4: Foothold

  • Credential: admin:rKXM59ESxesUFHAd
  • POST to /login.php → 302 redirect to /dashboard/index.php
  • Flag displayed on dashboard page

Flag

text
<hash redacted>

Command Log

bash
# Nmap initial
nmap -sC -sV -oN /tmp/crocodile-initial <TARGET>

# Nmap full TCP
nmap -p<redacted> --min-rate 5000 -oN /tmp/crocodile-allports <TARGET>

# FTP anonymous download
ftp -n <TARGET> (user anonymous, get files)

# Gobuster
gobuster dir -u http://<TARGET>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -t 30

# Login attempt (winning)
curl -s -c /tmp/cookies -L -d 'Username=admin&Password: <redacted>' http://<TARGET>/login.php

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase