2024-11-20
Crocodile - FTP Anonymous Login and Credential Disclosure
Technical writeup detailing the compromise of the Crocodile machine. Initial access is achieved by exploiting the Anonymous FTP login vulnerability on the vsFTPd 3.0.3 service (21/tcp) to disclose files containing credentials (allowed.userlist and allowed.userlist.passwd). Web enumeration via Gobuster reveals a hidden '/login.php' endpoint. The disclosed 'admin' credentials are used to access the web panel and retrieve the flag, completing the box.