Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

• Scanning
• • Nmap
• Enumeration
  •    Logging in FTP as anonymous
  •    Browsing HTTP service
  •    Directory Scanning using Dirsearch
• Exploitation
  •    Extracting Authentication token using curl   
  •    Extracting User information using curl
  •    Extracting Password using curl
• Privilege Escalation
  •    Logging in Ajenti Panel
• Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.

nmap -A 10.10.10.137

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.

Here, we can saw that FTP allow anonymous login. So, we check it.

ftp 10.10.10.137
ftp> ls
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txt

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.

cat for_Chihiro.txt

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.

./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.

./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

After a bit of research, we can use the curl command to authenticate JWT token. For more, you can read this article from here.

The tricky part here is the username is admin and not root which we guessed.

So, the curl command with the admin as username and password we got earlier.

curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login

This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave the users information as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/Derry

We logged in the management page successfully using the credentials of user Derry.

User Name: Derry

Password: rZ86wwLvx7jUxtch

After logging in we found files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed interesting.

The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.

We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:

Username: root

Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is a root shell. Here we enumerated the shell for the user and the root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.