Khazi Peppers
Luke is a Medium difficulty Machine on hackthebox.eu
First Step: Nmap Scan of the Machine
nmap -n -v -Pn -p- -A --reason -oN LUKE-nmap.txt 10.10.10.137
Ubuntu, with a few things worth looking at
Primary areas of opportunity: FTP/21, HTTP/80, SMB/445
Interesting port: TCP/53
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3+ (ext.1)
22/tcp open ssh? syn-ack ttl 63
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
3000/tcp open http syn-ack ttl 63 Node.js Express framework
8000/tcp open http syn-ack ttl 63 Ajenti http control panel
10.10.10.137 luke.htb
Let's start with ftp, logging in with anonymous, we're able to get in!
Literally the only file is one names for_Chihiro.txt, so lets grab it.
So we see that an apparent Web Developer named Derry is trying to encourage an aspiring Web Developer, and opened up some of the source code for him
Things we can take from this message:
- Potential Usernames
- Chihiro
- Derry
- Source that isn't usually exposed is
Next I'll poke at the Web Services. I think there are 3 web ports available: 80, 3000, and 8000.
Port 80
Did a quick bust and was able to find that the config.php page was exposed
Do I downloaded it directly
wget http://luke.htb/config.php
So we now have some database credentials
The credentials don't work to get into ssh, or into the login.php page of the port 80 dashboard. So I ran a more extensive buster to try to find anything else and I moved onto port 8000.
Port 8000
Port 8000
Ajenti Login of some kind. I wasn't able to Enumerate anything interesting, so I pretty quickly moved to Port 3000.
Port 3000
We got some JSON output, so an auth token is expected here.
I only other page came up under gobuster, and it was /users
gobuster -k -u http://luke.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -x php -o port_80_bust_big.txt
I found a good article that broke down how to add the tokens to my headers under Node.js
Using this article I was able to figure out how to get my token working here and I can see all the users.
From here I was able to get the passwords for the users by browsing to their sub directories (e.g. /users/Admin, /users/Dory)
I tried the logins with password list (like rockyou.txt) overnight against ssh, http port 80 and 8000 alike. No dice.
It turns out gobuster doesn't display 401 with the default settings. I ran a wfuzz instead and found a new sub-directory.
Note: This is because gobuster by default blocks 401 responses, and when i run wfuzz I was hiding only 404, and 302 responses. The command is below.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,302 -t 50 http://luke.htb/FUZZ
This bring up a new place to try my logins, which is great!
I had a username txt file already, and I figured I could guess and check my way through this, but I had a script worked out to help me anyway. So, I probably ended up taking the harder road here.
When logging in I could see the username and password were being encoded(I was using BURP of course) into a single string which looked like base64, and makes sense as it is a requirement in RFC2617 for encoding of username and passwords.
I verified by decoding it via bash
Note: The extra echo is a cheap way of getting a carriage return so the output is cleaner.
echo <ENDCODED-STRING> | base64 -d && echo ''
My username and password files just had a single entry per line. Each of the possible usernames with lower and capital on the front end.
I used PHP to write me a new file because its what I'm familiar with. I'm sure there are FAR better scripts for this, but in case anyone is interested you can find it here.
We'll run the script, making sure the username.txt and passwords.txt files are in the same folder.
php conversion.php
head encodedcreds.txt
Verified the top of the file to make sure its not all clumped onto a single line.
Began my fuzz, and got a hit. 96 total possibilities, maybe my way was quicker?
wfuzz -w encodedcreds.txt --hc 401 -t 20 -H $'Authorization: Basic FUZZ' http://luke.htb/management
Echoed out the Response to get the combination that worked
echo <ENDCODED-STRING> | base64 -d && echo ''
Then confirmed it was successful on the management login
This was likely the most straight-forward piece I saw. The username 'root' and password called out directly below:
I went back to Port 8000 and was able to login successfully.
You can go to Notepad on the left panel in Ajenti
Select Open, and just get your flags for /user/derry/user.txt and /root/root.txt from here.
No Privlege Escalation or anything.
Dead Ends and Rabbit Holes
- Incomplete Enumeration
- After finding the usernames I wasted a night using the usernames with password lists trying to get into SSH, and the port 80/8000 web logins. If I would have used my same token to http-get http://luke.htb/users/Admin I would have saved a lot of time.
- Also the fact that gobuster doesn't inherently list 401 pages is something new. I wish I has fuzzed right off the bat.
- SSH
- I tried using hydra to get past the logins learned to get in via pot 22. In the end the port wasn't even needed...
All
