HackTheBox Writeup — Luke

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

The IP of this box is 10.10.10.137

This box is created by my brother Hades and it was an amazing box :)

Using the Port Scan tip from Arrexel through masscan , we get 5 ports open , so we now run NMAP against them

masscan

Running NMAP on the open ports , we get

nmap

We see that we have 1 ftp services running , 1 ssh service and 3 http services

As we saw from the port scan that Port 21 is open and also from the NMAP scan that Anonymous Login is allowed , so lets connect to FTP using anonymous login

ftp

We see that there is only one directory inside it named as webapp so lets enter it and see the contents

getting files from ftp

We see that it has one txt file , so we downloaded it to our local machine and let’s see the contents

It had some message , but it didnt helped me for now atleast

So as we didn’t get any much information from the FTP , so we now move on to the web part as we had 3 http services running on different ports

Checking the Port 80 one first , we get

Its a page created on Bootstrap 4

Running Gobuster on the webpage , we get

Sadly , we didnt got anything interesting on these , so I ran Nikto on the website and got

We see it says there is a config.php file that contains IDs and passwords , so let’s access it

As there is a config.php there might be login.php file too

We guessed it right , it surely has , so I tried login through the credentials I got , but it failed

As you can see we get an error message of incorrect credentials , I tried putting “admin” too instead of “root” , but it didnt worked here , let’s try the other port on which web service is running

We move on to the Port 8000 which was running web service

We get Ajenti login page , we try the same credentials as we tried on config.php

We got Invalid login error prompt , now we are left with the Port 3000 which was also running Node.js Framework

We get a message that “Auth token is not supplied” , running a Gobuster against it , we get

We get only two types of directories , one for login and one for users

Try to Access the Login one , we get

It says “please auth” , as Node.js uses JWT for authentications , so we will use Curl to get the Auth Token and then pass it to the query since we have the credentials we got

curl — header “Content-Type: application/json” — request POST — data ‘{“password”:”Zk6heYCyv6ZE9Xcg”, “username”:”root”}’ http://10.10.10.137:3000/login

We get a forbidden reply message when we tried with username root , let’s try with username admin

We got Authenticated Successfully and got the Auth Token which we can set now , we will use curl command for the same

curl -X GET -H ‘Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1NjIwNDg3LCJleHAiOjE1NjU3MDY4ODd9.3XxUHvlIUExE69TWnwu5hs-P_oO3LVeqMYKj10hnRmU’ http://10.10.10.137:3000

We see that we got a “Welcome admin!” message

Since from the gobuster scan against this target , we got /users and /Users , so let’s try the token on that

Curl Requests for Getting Users by Auth Token

We get 4 IDs with different name , roles. Since Admin is the superuser here , let’s try to get the details of that

Credentials for Admin

Upon Looking for more , we get 2 more details for username and password

Rest of the Credentials

We got 4 credentials , since the user Derry was Web-Admin , let’s try it on the login pages we got , i.e /management , /login.php and the Ajenti login page on port 8000

Upon trying on the /management directory

10.10.10.137/management

We get 3 files listed on it , login.php , config.php and config.json

Checking the config.json file , we see

config.json

We see that it contains the details for the Ajenti service running on the machine and also it has the credentials for it as root and the password given , so we try to Login to Ajenti using these credentials

Ajenti Dashboard

We got connected successfully , now let’s see what we can escalate from here

Users Tab

Upon looking futher , we see that there is a portion for users , and also we can set the passwords , since derry is a legit user here , so I set his password as “faisal” and then try to login through SSH

We got connected successfully , let’s move on to getting the user flag

The user flag was located in the same place where we were spawned after connecting to SSH

For privelege escalation , we didnt had to do anything , but just go to the /root directory and access the root flag , really no privelege escalation here , just a troll so that you can scratch your head off finding the way xD ;_____;

So that’s the box , I really learned about many things after solving this box and it was a complete mind fresher for me and my skills. Thanks alot to my brother Hades for such an amazing box :)

Reference

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store