Luke | Hackthebox write up

Featured image

Brought to you by

Spenge @hackthebox.eu

@SpengeSec on twitter

Start by editing /etc/hosts

Like always we add the IP(10.10.10.137) of the box to our hosts file as luke.htb hosts

NMAP ~ Enumeration

To begin enumerating i start off with a nmap scan on the target. I’ve gotten a bash script that automates scanning, which comes in very handy if you’re taking the OSCP exam. In all the write ups ill be using this script. But a nmap -p- - sT -sV -sC -oN initial-scan luke.htb, gobuster & nikito will be sufficient too.

nmap

Full output: https://ghostbin.com/paste/n65ex

There is a lot of output to go trough: Open ports: 21 ~ FTP 22 ~ SSH 80 ~ Http 3000 ~ Node js 8000 ~ Ajenti panel Lots of directories found: 80: /.hta (Status: 403) /.hta.html (Status: 403) /.hta.php (Status: 403) /.htaccess (Status: 403) /.htaccess.html (Status: 403) /.htaccess.php (Status: 403) /.htpasswd (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.php (Status: 403) /cgi-bin/.html (Status: 403) /config.php (Status: 200) X /css (Status: 301) /index.html (Status: 200) /index.html (Status: 200) /js (Status: 301)

/LICENSE (Status: 200) /login.php (Status: 200) /member (Status: 301) /vendor (Status: 301) 3000: /login (Status: 200) /Login (Status: 200) /users (Status: 200) Anonymous FTP Login : Checked that out, only with the following result:

nmap As we can see from the gobuster, there is an interesting file responding with 200 OK code, config.php! When loading up this page in the browser we are greeted with the following: nmap

Now we have a login and password, but what can we use this for..? We know there possibly are the following users called Derry, Chihiro and root. I tried a combination of these logins on all the possible login panels, :8000(ajenti), :80/login.php, FTP without success. When i checked out the :3000 we knew from gobuster there is a /Login and /login. This greeted us with the message “Please auth” So we have to figure out what this is, and how authentication works!

Port 3000 ~ Node.js ~ JWT!

After the previous step, i began to research on google and typed in the following keywords “ Port 3000 node.js Please Auth”. This was the second link on google: https://medium.com/quick-code/handling-authentication-and-authorization-with-node-7f9548fedde8 As we can read, node.js seems to make use of JWT(?), and JWT uses an authentication token… How do we create an auth token? I began researching JWT Authentication on port 3000 on google.

I typed the keywords “ Adding jwt authentication port 3000 ” in google and found the following: https://medium.com/dev-bits/a-guide-for-adding-jwt-token-based-authentication-to-your-single-page-nodejs-applications-c403f7cf04f4

As i read the entire thing, i realised they explained exactly how to generate an auth token! We had a username and password from the config.php so lets begin! By typing in terminal: curl –header “Content-Type: application/json” –request POST –data ‘{“password”:”Zk6heYCyv6ZE9Xcg”, “username”:”root”}’ http://luke.htb:3000/login

I was greeted with “forbidden” indicating the login info was invalid, so i tried the different username combinations, without success. I then re-read the article, and saw they used the username admin, and so did i: nmap

In the article they use this token to add a bearer, i did the same by using the following curl command: curl -X GET -H ‘Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU NjQ4MzYwLCJleHAiOjE1NTk3MzQ3NjB9.NV4Nz0SUFq2m4XygUm3jzSW1JMMCbZRfikY W5iPj9zM’ http://luke.htb:

Without success! So what was wrong?? I knew the directory /users existed from gobuster and tried that: nmap

Getting somewhere

We now knew the existing users, with their rank. I began poking around trying to find information, and we knew there was a /users so i tried : /users/Admin and was greeted with: nmap Jackpot! Admin password!

So lets begin with retrieving every user:pass as its a good practice:

“Admin”,”password”:”WX5b7)>/rp$U)FW” -> Superuser “Derry”,”password”:”rZ86wwLvx7jUxtch” -> Web-Admin “Yuri”,”password”:”bet@tester87′′ -> Beta Tester “Dory”,”password”:”5y:!xa=ybfe)/QD” -> Supporter

We can now go and try these on every possible login panel

After being stuck here for a while and being unable to log in anywhere, i decided to run a dirb. This found : nmap

And i realized that gobuster by default doesn’t take 401 responses as a valid response, we have to define it with -s 401…

Management Page

As we found by running dirbuster, we go to http://luke.htb:80/management and are greeted with a username:password input field.

I tried logging in as ‘Admin’ with no success, and then continued down the list and tried ‘Derry’. I managed to log as Derry:rZ86wwLvx7jUxtch After logging in we see the following: nmap

I checked the config.json and immediately noticed some useful information. nmap

We can see there is a username ‘root’ and password defined: KpMasng6S5EtTy9Z We can also see that this is for Ajenti, and Ajenti runs on :8000 with the following shell: “{\”shell\”: \”sh -c $SHELL || sh\”}” So lets proceed by logging in to Ajenti webpanel with the retrieved username:password.

Ajenti

After logging in we are greeted with access to the Ajenti panel

We can see its running Ajenti 1.2.23.13 and that there is an option “File Manager” in the bottom left section. nmap

As you can see we are able to browse the root directory. Lets try to access /root and see what is inside.

We can see the root.txt, and view its contents by clicking it and pressing “edit”.

Do the same for the user.txt nmap