Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all articles
Browse latest Browse all 1824

Hack the Box Luke Walkthrough

$
0
0

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.
Level: Easy
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
Scanning
    Nmap
Enumeration
    Logging in FTP as anonymous
    Browsing HTTP service
    Directory Scanning using Dirsearch
Exploitation
    Extracting Authentication token using curl   
    Extracting User information using curl
    Extracting Password using curl
Privilege Escalation
    Logging in Ajenti Panel
Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.
nmap -A 10.10.10.137

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.
Here, we can saw that FTP allow anonymous login. So, we check it.
ftp 10.10.10.137
ftp> ls
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txt

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.
cat for_Chihiro.txt

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.
./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.
./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

After a bit of research, we can use curl command to authenticate JWT token. For more you can read this article from here.
The trick part here is the username is admin and not root which we guessed.
So, the curl command with the admin as username and password we got earlier.
curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login
This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave use users information as shown in the image given below.
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/Derry

We logged in the management page successfully using the credentials of user Derry.
User Name: Derry
Password rZ86wwLvx7jUxtch

After logging in we found a files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed intresting.


The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.


We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:
Username: root
Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is root shell. Here we enumerated the shell for user and root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.


Viewing all articles
Browse latest Browse all 1824

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>