HackTheBox Writeup — Luke
Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .
The IP of this box is 10.10.10.137
This box is created by my brother Hades and it was an amazing box :)
Port Scan
Using the Port Scan tip from Arrexel through masscan , we get 5 ports open , so we now run NMAP against them
Running NMAP on the open ports , we get
We see that we have 1 ftp services running , 1 ssh service and 3 http services
FTP
As we saw from the port scan that Port 21 is open and also from the NMAP scan that Anonymous Login is allowed , so lets connect to FTP using anonymous login
We see that there is only one directory inside it named as webapp so lets enter it and see the contents
We see that it has one txt file , so we downloaded it to our local machine and let’s see the contents
It had some message , but it didnt helped me for now atleast
HTTP
So as we didn’t get any much information from the FTP , so we now move on to the web part as we had 3 http services running on different ports
Checking the Port 80 one first , we get
Its a page created on Bootstrap 4
Running Gobuster on the webpage , we get
Sadly , we didnt got anything interesting on these , so I ran Nikto on the website and got
We see it says there is a config.php file that contains IDs and passwords , so let’s access it
As there is a config.php there might be login.php file too
We guessed it right , it surely has , so I tried login through the credentials I got , but it failed
As you can see we get an error message of incorrect credentials , I tried putting “admin” too instead of “root” , but it didnt worked here , let’s try the other port on which web service is running
We move on to the Port 8000 which was running web service
We get Ajenti login page , we try the same credentials as we tried on config.php
We got Invalid login error prompt , now we are left with the Port 3000 which was also running Node.js Framework
We get a message that “Auth token is not supplied” , running a Gobuster against it , we get
We get only two types of directories , one for login and one for users
Try to Access the Login one , we get
It says “please auth” , as Node.js uses JWT for authentications , so we will use Curl to get the Auth Token and then pass it to the query since we have the credentials we got
curl — header “Content-Type: application/json” — request POST — data ‘{“password”:”Zk6heYCyv6ZE9Xcg”, “username”:”root”}’ http://10.10.10.137:3000/login
We get a forbidden reply message when we tried with username root , let’s try with username admin
We got Authenticated Successfully and got the Auth Token which we can set now , we will use curl command for the same
curl -X GET -H ‘Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1NjIwNDg3LCJleHAiOjE1NjU3MDY4ODd9.3XxUHvlIUExE69TWnwu5hs-P_oO3LVeqMYKj10hnRmU’ http://10.10.10.137:3000
We see that we got a “Welcome admin!” message
Since from the gobuster scan against this target , we got /users and /Users , so let’s try the token on that
We get 4 IDs with different name , roles. Since Admin is the superuser here , let’s try to get the details of that
Upon Looking for more , we get 2 more details for username and password
We got 4 credentials , since the user Derry was Web-Admin , let’s try it on the login pages we got , i.e /management , /login.php and the Ajenti login page on port 8000
Upon trying on the /management directory
We get 3 files listed on it , login.php , config.php and config.json
Checking the config.json file , we see
We see that it contains the details for the Ajenti service running on the machine and also it has the credentials for it as root and the password given , so we try to Login to Ajenti using these credentials
We got connected successfully , now let’s see what we can escalate from here
Upon looking futher , we see that there is a portion for users , and also we can set the passwords , since derry is a legit user here , so I set his password as “faisal” and then try to login through SSH
We got connected successfully , let’s move on to getting the user flag
The user flag was located in the same place where we were spawned after connecting to SSH
Privelege Escalation
For privelege escalation , we didnt had to do anything , but just go to the /root directory and access the root flag , really no privelege escalation here , just a troll so that you can scratch your head off finding the way xD ;_____;
So that’s the box , I really learned about many things after solving this box and it was a complete mind fresher for me and my skills. Thanks alot to my brother Hades for such an amazing box :)