HTB Labs — Tier 1 — “Crocodile” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by HTB, Tier 1, named “Crocodile”. Crocodile machine designed to introduce fundamental concepts of service misconfiguration and cross-service enumeration. This machine focuses on identifying and exploiting insecure FTP and web service configurations, demonstrating how information leakage from one service can be leveraged to compromise another.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
Initial reconnaissance identified multiple externally exposed services. Network scanning revealed two primary open ports: FTP on port 21 and HTTP on port 80. Service fingerprinting confirmed the presence of vsftpd 3.0.3 and Apache HTTP Server 2.4.41, indicating a Linux-based target hosting both file transfer and web services. The exposed FTP service suggested a potential misconfiguration worth further investigation.
Stage II: Enumeration
Enumeration of the FTP service confirmed that anonymous authentication was enabled, allowing unauthenticated access to the server. Once logged in, accessible files were listed and downloaded, including a file named allowed.userlist, which contained multiple usernames. Among them was a higher-privilege–sounding account, admin, indicating a likely reuse of credentials across services.
Parallel web enumeration against the HTTP service using directory brute-forcing identified several hidden PHP files. Notably, a login.php endpoint was discovered, exposing an authentication interface and expanding the attack surface. This phase established a clear link between the information leaked via FTP and the web authentication mechanism.
Stage III: Exploiting
Exploitation was achieved by leveraging the credentials obtained during enumeration. The admin username identified from the FTP-accessible file was successfully used to authenticate against the web application’s login portal. Upon successful authentication, unrestricted access to the application was granted, directly revealing the root flag.
Let’s not waste more time on the introduction and begin hacking in detail!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: What Nmap scanning switch employs the use of default scripts during a scan?
Answer: -sC
Walkthrough:
We will use Nmap to scan the network to identify the running ports on the target machine. Either we can use the traditional way for Nmap, in which we specify the flags that we want Nmap to run upon, or we can use an automated tool that runs Nmap along with specified scan types.
This automated tool is called “Nmap Automator”. You may download it through the following link.
I will use this tool to run a full scan on the target’s IP. The tool will use all the possible options and flags that are pre-identified by Nmap to come up with the ultimate scan results.
The usage of the tool is very easy, and you can find out more about it in the description section on GitHub. To perform a full scan, write the following command:
bash nmapAutomator.sh --host 10.129.2.54 --type all
Upon the Nmap scanning, it shows the following:
- A service called “FTP” is running through port 21.
- A service called “httpd” is running through port 80.
Task 2: What service version is found to be running on port 21?
Answer: vsftpd 3.0.3
Walkthrough:
According to the previous screenshot taken from the scanning, it appears that the version of the FTP service is “vsftpd 3.0.3".
Task 3: What FTP code is returned to us for the “Anonymous FTP login allowed” message?
Answer: 230
Walkthrough:
Since we are having a “FTP” service running through port 21, we will try to connect using anonymous login using the following command:
ftp -p anonymous@10.129.1.15
We have covered a machine in TIER 0 — Starting Point Phase — called “FAWN, and another machine in TIER 0 — Starting Point Phase- called “FUNNEL” . These machines will give a better overview on how you can exploit FTP protocols. I strongly recommend checking those blogs.
As per the previous screenshot, it appears that the response code is 230.
Task 4: After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?
Answer: anonymous
Walkthrough:
To login to the FTP client anonymously, we will attempt to login using the username “anonymous” as shown in the previous screenshot.
Task 5: After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?
Answer: get
Walkthrough:
Navigating in an FTP client is very similar to navigating a file system. We can show the current path using the “pwd” command and list the content of the directories using the “ls” command. We can download any file using the “Get” command.

Task 6: What is one of the higher-privilege sounding usernames in ‘allowed.userlist’ that we download from the FTP server?
Answer: admin
Walkthrough:
As per the files that were downloaded from the ftp client and viewing the content of the file named “allowed.userlist”, it appears that the higher privilege in the username list is “admin”

Task 7: What version of Apache HTTP Server is running on the target host?
Answer: 2.4.41
Walkthrough:
As per the scanning phase we done in the first step, we shall find that the version of the “HTTP” service, is 2.4.41.

Task 8: What switch can we use with Gobuster to specify we are looking for specific file types?
Answer: -x
Walkthrough:
Gobuster is a directory and file brute-forcing tool used in web enumeration. it helps you to find hidden directories (e.g. /admin, /backup), Hidden files (e.g. login.php, config.php), content not linked on the website, or misconfigured or forgotten web resources. This information is often used to find login pages, locate sensitive files, identify attack surfaces for further exploitation
The switch “-x” numerate files with specific extensions, and it is commonly used with the “dir” mode in gobuster. Here is the command that will be used:
gobuster dir -u 10.129.1.15 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
Also, here is a break down of the command that is used:

Task 9: Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?
Answer: login.php
Walkthrough:
As per the scanning result that came out using gobuster tool, you will notice that there are various PHP files that are extracted. Among these PHP files, there is a file the will provide us the chance to authenticate to the web service which is “login.php”

Task 10: Submit The Root Flag
Answer: c7110277ac44d78b6a9fff2232434d16
Walkthrough:
As per the previous task, we will find that there is a login page that allows us to authenticate with the web service. So, once we type in the browser the following URL: http://10.129.1.15/login.php, we will be redirected to the following web page that asks us to enter the username and the password.
As per task no 6, we will login using the admin credentials, where:
- Username: admin
- Password: rKXM59ESxesUFHAd
- When using the credentials to login, you will find the following web page that reveals the flag.
- Hope you enjoyed reading my blog about solving the “Crocodile” machine from HTB — Tier 1 — Starting Point Phase.
- See you in another write-up!.


