Gor510
Eccentric Innovator
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.
Level: Easy
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
Walkthrough
Network Scanning
Let’s get started then!
Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.
From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.
Here, we can saw that FTP allow anonymous login. So, we check it.
Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.
We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.
We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.
We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.
We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.
Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.
We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.
After a bit of research, we can use the curl command to authenticate JWT token. For more, you can read this article from here.
The tricky part here is the username is admin and not root which we guessed.
So, the curl command with the admin as username and password we got earlier.
This gave us the auth token.
We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave the users information as shown in the image given below.
We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.
We logged in the management page successfully using the credentials of user Derry.
User Name: Derry
Password: rZ86wwLvx7jUxtch
After logging in we found files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed interesting.
The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.
We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:
Username: root
Password: KpMasng655EtTy9Z
After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is a root shell. Here we enumerated the shell for the user and the root flags.
Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.
Level: Easy
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
- Scanning
- Nmap
- Enumeration
- Logging in FTP as anonymous
- Browsing HTTP service
- Directory Scanning using Dirsearch
- Exploitation
- Extracting Authentication token using curl
- Extracting User information using curl
- Extracting Password using curl
- Privilege Escalation
- Logging in Ajenti Panel
- Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.
Code:
nmap -A 10.10.10.137From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.
Here, we can saw that FTP allow anonymous login. So, we check it.
Code:
ftp 10.10.10.137
ftp> ls
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txtThrough FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.
Code:
cat for_Chihiro.txtWe found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.
We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.
Code:
./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.
We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.
Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.
We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.
Code:
./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404After a bit of research, we can use the curl command to authenticate JWT token. For more, you can read this article from here.
The tricky part here is the username is admin and not root which we guessed.
So, the curl command with the admin as username and password we got earlier.
Code:
curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/loginThis gave us the auth token.
We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave the users information as shown in the image given below.
Code:
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/usersWe enumerated all users using the curl command. This gave use password for those users as shown in the image given below.
Code:
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/DerryWe logged in the management page successfully using the credentials of user Derry.
User Name: Derry
Password: rZ86wwLvx7jUxtch
After logging in we found files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed interesting.
The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.
We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:
Username: root
Password: KpMasng655EtTy9Z
After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is a root shell. Here we enumerated the shell for the user and the root flags.
Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.