HTB Starting Point — Crocodile
Box info | OS: Ubuntu (vsftpd 3.0.3 / Apache 2.4.41) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: FTP enumeration, web directory discovery, credential stuffing, HTTP form brute-force Pwned: 2026-04-28 TL;DR Crocodile is a Tier 1 box that chains two services together: FTP and HTTP. A port scan finds both 21 and 80. Anonymous FTP login downloads two files — allowed.userlist and allowed.userlist.passwd — containing four usernames and four matching passwords in plaintext. The web server at port 80 runs an Apache 2.4.41 site with a login.php page. Trying all 16 username/password combinations against the login form reveals that admin:rKXM59ESxesUFHAd works. The dashboard at /dashboard displays the flag. This is credential stuffing applied to a small credential set — exactly the workflow used against real credential leaks. ...