Hello! Everyone and Welcome to yet another
CTF challenge from Hack the Box, called ‘Luke,’ which is available online for
those who want to increase their skills in penetration testing and Black box
testing. Luke is a retired vulnerable lab presented by Hack the Box for making
online penetration testing practice suitable to your experience level; they
have a large collection of vulnerable labs as challenges ranging from beginner
to expert level.
Level: Easy
Task: Find user.txt and root.txt in the
victim’s machine
Penetration Methodologies
Scanning
Nmap
Enumeration
Logging
in FTP as anonymous
Browsing HTTP service
Directory Scanning using Dirsearch
Exploitation
Extracting Authentication token using curl
Extracting User information using curl
Extracting Password using curl
Privilege Escalation
Logging in Ajenti Panel
Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
Since these labs have a static IP, the IP
address for Luke is 10.10.10.137. Let us scan the VM with the most popular port
scanning tool, nmap.
nmap -A 10.10.10.137
From the result above we found five working
ports on the VM, port 21, 22, 80, 3000, 8000.
Here, we can saw that FTP allow anonymous
login. So, we check it.
ftp 10.10.10.137
ftp> ls
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txt
Through FTP login we found a for_Chihiro.txt file, where Chihiro or
Derry might be usernames.
cat for_Chihiro.txt
We found that the HTTP service runs on port
80, from nmap results. So, we browse the IP address of Target in the browser.
We found a simple HTML page.
We also started a Directory Bruteforce in
order to enumerate the machine further. This gave us some directories and files
namely config.php, management etc.
./dirsearch.py -u http://10.10.10.137 -e
php -x 400, 403, 404
We enumerated all of them. Among which config.php
gave us some database credentials as shown in the image below.
We tried credentials on 10.10.10.137/management.
But it gave back an unauthorized error. We will come back to it again.
Back to our nmap scan, we found that a
Nodejs service running on port 3000. On browsing the IP Address with 3000 port,
we got a message that says that auth token is not supplied.
We further did a Directory Bruteforce on
port 3000. We found pages named /login and /users.
./dirsearch.py -u http://10.10.10.137:3000
-e php -x 400, 403, 404
After a bit of research, we can use curl
command to authenticate JWT token. For more you can read this article from here.
The trick part here is the username is
admin and not root which we guessed.
So, the curl command with the admin as
username and password we got earlier.
curl --header "Content-Type:
application/json" --request POST --data
'{"username":"admin",
"password":"Zk6heYCyv6ZE9Xcg"}'
http://10.10.10.137:3000/login
This gave us the auth token.
We enumerated usernames using the curl
command with the help of the Authentication token we found earlier. This gave
use users information as shown in the image given below.
curl -X GET -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310'
http://10.10.10.137:3000/users
We enumerated all users using the curl
command. This gave use password for those users as shown in the image given
below.
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’
http://10.10.10.137:3000/users/Derry
We logged in the management page
successfully using the credentials of user Derry.
User Name: Derry
Password rZ86wwLvx7jUxtch
After logging in we found a files named
config.json, config.php and login.php. We enumerated all these files among
which config.json seemed intresting.
The config.json file had some information
related to ‘ajenti’ service running on port 8000 and a password.
We browsed the IP Address with the port
8000, It gave us another login form. We used the following credentials into the
form. This successfully gave us the ajenti panel as shown in the image given
below:
Username: root
Password: KpMasng655EtTy9Z
After Enumerating a bit, we saw the option
to open terminal. On opening the terminal, we checked the user and group
details using id command. It is root shell. Here we enumerated the shell for user
and root flags.
Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration
Testing at Hacking Articles. Contact here.