Luke Machine

Venkatraman K
Hackthebox Writeups
3 min readOct 15, 2019

Luke is a Linux like (FreeBSD) machine.


1.Directory listing would help at initial stage

2. Try to use the creds indirectly

Hope this suffices if you are only looking for hints.

As usual I started with the golden rule of scanning ports. This machines has a huge number of Rabitholes which could waste a lot of time.

As FTP port is open, I tired to login with default credentials ( anonymous). After successful login i wasn’t able to do much except downloading the for_Chihiro.txt.

So i went on to enumerate the next port .Port 80 was open and there is a webapplication running so i used dirbuster (for directory and file listing). To my surprise, there was several login end pts.

I opened the config.php which revealed some credentials….

$dbHost = ‘localhost’; $dbUsername = ‘root’; $dbPassword = ‘Zk6heYCyv6ZE9Xcg’; $db = “login”; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die(“Connect failed: %s\n”. $conn -> error);

but initially it was of no use as i wasn’t able to login at any end pts with these credentials….I also tired SQLI for bypassing authentication at the login end pts but all went in vain..
I started enumerating the PORT 3000 it was running a node.js server and it asked for auth token…I also used dirbuster on this ,it revealed end pts which are only accessible with the auth_token

Googling about it for sometime gave me the insights of CURL command

curl -s -X POST -H ‘Accept: application/json’ -H ‘Content-Type: application/json’ — data ‘{“username”:”root”,”password”:”Zk6heYCyv6ZE9Xcg”,”rememberMe”:false}’

I used the credentials of config.php here with this command but i got forbidden so i used admin instead of root (general guessing) . I got the access_token as response

curl -H ‘Accept: application/json’ -H “Authorization: Bearer YOUR_TOKEN” (change here for other user)

I used it to fuzz around the server with this command i was able to see administrator i used it for getting other user’s creds. There are 4 users admin(super user),derry(web admin),yuri(beta tester),dory(supporter). Connecting with the txt file i got from FTP port (it was from Derry) so i assumed derry credentials are the gateway… I went to /management which i logged in with his credentials ;). i opened config.json from the list of files which gave me the credentials for Ajenti which is running on 8000.

I logged in on that application,it had an terminal (terminal build with JS) from which i got the user.txt and root.txt



Venkatraman K
Hackthebox Writeups

@r3dw0lfsec | Security Researcher @ Vault Infosec | CEH | Bug Hunter