# Hack The Box - Luke

## Quick Summary

Hey guys today Luke retired and here’s my write-up about it. It was an easy machine, all you need to do is to enumerate well and you’ll find what you need. It’s a FreeBSD box and its ip is 10.10.10.137, I added it to /etc/hosts as luke.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :

We have ftp on port 21, http on ports 80, 3000, 8000 and ssh. From the http-title we can see that on port 3000 there’s a node.js application and Ajenti Administration Panel on port 8000. But before checking the web services let’s take a look at ftp.

## FTP

Anonymous login was allowed, there was only one directory called webapp which had a text file called for_Chihiro.txt :

for_Chihiro.txt :

From this note we get two potential usernames : Chihiro and Derry.
Also, now we know that we can find some source files somewhere, let’s check out the web services.

## Web Enumeration, User and Root Flags

Nothing was really interesting so I bruteforced directories and pages with wfuzz :

We got /management, /member, /login.php and /config.php. I checked config.php first :

Great, we got database credentials, I tried to ssh into the box with them but it didn’t work.
/login.php :

Also the credentials didn’t work here.
/management :

It uses http basic authentication, I tried to login but again the credentials didn’t work.
/member was just empty :

On port 8000 there was Ajenti :

Ajenti: An admin’s tool for a more civilized age, providing you with a fast and secure way to manage a remote Linux box at any time using everyday tools like a web terminal, text editor, file manager and others. -ajenti.org

Ajenti provides a terminal, so if we could access Ajenti then we got a shell. However, the credentials didn’t work here too :

The only thing left is the node.js application, which uses JWT tokens for authentication :

I fuzzed the application to verify that the endpoint /login exists :

/login exists and there’s also another endpoint called /users which can’t be accessed without authentication too :

I tried to login with the credentials but it failed :

So I tried the same username from the article (admin) instead of root and it worked :

Now we can access the application with our token :

/users returned a list of these users :

After trying different things, /users/username revealed more info about each user :

After trying these credentials everywhere, I could login to /management as Derry:

These are the source files Derry was talking about in the note we got from the ftp server. In config.json I found some stuff related to Ajenti and I found the password for the user root :

Now we can start a terminal as root and get the flags :

And we owned root.
That’s it , Feedback is appreciated !