Luke Machine

Venkatraman K
Hackthebox Writeups
3 min readOct 15, 2019

Luke is a Linux like (FreeBSD) machine.

Hints

1.Directory listing would help at initial stage

2. Try to use the creds indirectly

Hope this suffices if you are only looking for hints.

As usual I started with the golden rule of scanning ports. This machines has a huge number of Rabitholes which could waste a lot of time.

As FTP port is open, I tired to login with default credentials ( anonymous). After successful login i wasn’t able to do much except downloading the for_Chihiro.txt.

So i went on to enumerate the next port .Port 80 was open and there is a webapplication running so i used dirbuster (for directory and file listing). To my surprise, there was several login end pts.

I opened the config.php which revealed some credentials….

$dbHost = ‘localhost’; $dbUsername = ‘root’; $dbPassword = ‘Zk6heYCyv6ZE9Xcg’; $db = “login”; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die(“Connect failed: %s\n”. $conn -> error);

but initially it was of no use as i wasn’t able to login at any end pts with these credentials….I also tired SQLI for bypassing authentication at the login end pts but all went in vain..
I started enumerating the PORT 3000 it was running a node.js server and it asked for auth token…I also used dirbuster on this ,it revealed end pts which are only accessible with the auth_token

Googling about it for sometime gave me the insights of CURL command

curl -s -X POST -H ‘Accept: application/json’ -H ‘Content-Type: application/json’ — data ‘{“username”:”root”,”password”:”Zk6heYCyv6ZE9Xcg”,”rememberMe”:false}’ http://10.10.10.137:3000/login/

I used the credentials of config.php here with this command but i got forbidden so i used admin instead of root (general guessing) . I got the access_token as response

curl -H ‘Accept: application/json’ -H “Authorization: Bearer YOUR_TOKEN” http://10.10.10.137:3000/users/admin (change here for other user)

I used it to fuzz around the server with this command i was able to see administrator credentials..so i used it for getting other user’s creds. There are 4 users admin(super user),derry(web admin),yuri(beta tester),dory(supporter). Connecting with the txt file i got from FTP port (it was from Derry) so i assumed derry credentials are the gateway… I went to /management which i logged in with his credentials ;). i opened config.json from the list of files which gave me the credentials for Ajenti which is running on 8000.

I logged in on that application,it had an terminal (terminal build with JS) from which i got the user.txt and root.txt

--

--

Venkatraman K
Venkatraman K

Written by Venkatraman K

@r3dw0lfsec | Security Researcher @ Vault Infosec | CEH | Bug Hunter