Luke

Author: H4d3s

Machine IP: 10.10.10.137

Starting On: Wed Jul 17 12:55:44 IST 2019

NMAP

There are quite a few ports open. FTP allows anonymous login so I think it would be nice if we start with that.

FTP

I logged into FTP and found a file name for_Chihiro.txt in a folder named webapp.

and it had the following message

Okay so this mean somewhere the source of the website is present. Also now we know that there are two user Chihiro and Derry.

Let’s move on to all the HTTP ports

HTTP

Port 80

Website on the port 80 was pretty simple and there wasn’t anything in the source of the page.

I ran dirsearch on the website and found some directories:

There wasn’t anything interesting in any of those files except config.php

I found a username and password in config.php

$dbHost = 'localhost';
$dbUsername = 'root';
$dbPassword  = 'Zk6heYCyv6ZE9Xcg';
$db = "login";

$conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);

I tried to use those logins on /login.php and /management/ but it didn’t work on any of those. So I decided to move on with the remaining two ports.

Port 8000

It’s a login page. I didn’t even knew what ajenti was so I googled it and found out

An admin's tool for a more civilized age, providing you with a fast and secure way to manage a remote Linux box at any time using everyday tools like a web terminal, text editor, file manager and others.

This could be vulnerable to something. So I used searchsploit and found an exploit for it.

But since this exploit need a way to make directory I couldn’t use it.

Moving on to port 3000

Port 3000

It’s an API which requires auth token. I decided to use the password I found in config.php and it gave 200 but still had a Invalid token error

After reading some forum comments I realized I was doing it all wrong. The Zk6heYCyv6ZE9Xcg is not the token but the password. So that means I need to get token first using Zk6heYCyv6ZE9Xcg with some different username.

I read this medium article that showed me how to use curl for sending token and username etc.

Since I need to find more information through this API I decided to run dirsearch on it to see if I can find some directories that might give something away.

So we can use http://10.10.10.137:3000/login to find our token but we still need to bruteforce the username. I started using all the username I’ve found till now but none of them worked.

But I got the token with admin:Zk6heYCyv6ZE9Xcg

{
  "success": true,
  "message": "Authentication successful!",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTYzMzUzNTA3LCJleHAiOjE1NjM0Mzk5MDd9.6KHbS8q0UbOyMbIdR2974jzztEUf-kdYeHQtz-4_Rg0"
}

I assigned the token to a variable in my shell so I don’t have to paste long stuff again and again.

Now we can look into all the directories we found on this port.

On /users I got a some users with their ID along with their roles.

[
  {
    "ID": "1",
    "name": "Admin",
    "Role": "Superuser"
  },
  {
    "ID": "2",
    "name": "Derry",
    "Role": "Web Admin"
  },
  {
    "ID": "3",
    "name": "Yuri",
    "Role": "Beta Tester"
  },
  {
    "ID": "4",
    "name": "Dory",
    "Role": "Supporter"
  }
]

and on users/admin I got some credentials.

{
  "name": "Admin",
  "password": "WX5b7)>/rp$U)FW"
}

So till now We have 3 portal to try these credentials on.

Port 80 - /login
Port 80 - /management/
Port 8000 - /

I tried those credentials but none of them worked. So after thinking a bit I realized something. When we visted the users/Admin we got password for Admin but what if we try other user names maybe we can get password for them as well.

➜ http http://10.10.10.137:3000/users/Derry $TOKEN | jq .
{
  "name": "Derry",
  "password": "rZ86wwLvx7jUxtch"
}

~
➜ http http://10.10.10.137:3000/users/Dory $TOKEN | jq .
{
  "name": "Dory",
  "password": "5y:!xa=ybfe)/QD"
}

~
➜ http http://10.10.10.137:3000/users/Yuri $TOKEN | jq .
{
  "name": "Yuri",
  "password": "bet@tester87"
}

🎉🎉🎉🎉🎉🎉

Now we can use Derry's credential because he’s the Web Admin.

First I visted the management/ and got some different page URLs

If we open the config.json we can see some information related to ajenti running on port 8000

We can see credentials root:KpMasng6S5EtTy9Z. We can use these on the port 8000 to login.

I logged in on http://10.10.10.137:8000/ using the root:KpMasng6S5EtTy9Z and got a simple dashboard.

In the lower left side we can see option for Terminal click on it and make a new terminal.

When I ran the whomai command I was screaming like a crazy person.

Now we can just get user and root hash 😜😜😜

It was kinda good box not too difficult but neither too easy. I really liked the API usage part.

Thanks to H4d3s for making this box.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”.

HackTheBox Writeups

Writeups for all the HTB boxes I have solved