Difficulty Rating:

Machine: Luke
OS: Linux

This challenge requires good amount of information gathering. Credentials were leaked at various endpoints which was used to authenticate Ajenti admin server panel. This server panel has a feature to start a terminal which was running with root user by default. This was used to compromise the entire machine.

  • Let’s use Nmap tool to scan the machine for running services.

  • Let’s find commonly known files and directories using gobuster tool.

  • File config.php leaks some credentials for some database.

  • Let’s note down the creds for later use.
$dbHost = 'localhost';
$dbUsername = 'root';
$dbPassword  = 'Zk6heYCyv6ZE9Xcg';
$db = "login";
  • So far we have got the following usernames.
  • And the following password.
  • Nmap shows port 3000 is also open, running NodeJS Express Framework.

  • Let’s run gobuster on this port as well to find which commonly known directories are available.

  • We can see there are mainly two endpoints available: /login and /users

  • When we visit /login endpoint, we get an error message saying please auth.

curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"chihiro"}' http://luke.htb:3000/login
  • Unfortunately, none of the above usernames worked. But later, we were able to get successfull authentication using admin username.

  • We now have the authentication token which we can use to authenticate for every API request.

  • Let’s use the authentication token and try to get usernames by sending GET request to /users endpoint.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY3NjY5NzI4LCJleHAiOjE1Njc3NTYxMjh9.OzyZKtICVpJbmLTGz0gbc18ww_Dmw-yRiHngS_isBH4'  http://luke.htb:3000/users
  • We got four more usernames with their roles.

  • Let’s note them down as well for future use.
{"ID":"2","name":"Derry","Role":"Web Admin"},
{"ID":"3","name":"Yuri","Role":"Beta Tester"},
  • After further enumeration, we came to an endpoint /users/<username>, where <username> will be replaced by above usernames.
  • This API endpoint leaks the username and password for each of the above usernames.

  • Let’s note down the creds for future use.
Admin: WX5b7)>/rp$U)FW
Derry: rZ86wwLvx7jUxtch
Yuri:  [email protected]
Dory: 5y:!xa=ybfe)/QD
  • The output of gobuster on port 80 showed /management endpoint as well. Since we needed credentials to access it, we didn’t do anything before.

  • Now we can try the above credentials to access this endpoint.

  • After trying the above credentials, the following credential worked on http://luke.htb/management/

Derry: rZ86wwLvx7jUxtch
  • This endpoint leaks some of the sensitive files like config.json and config.php. We had already explored config.php. Let’s check config.json

  • We can see a lot of configuration settings for a service which is running on port 8000.

  • Nmap already showed that there’s a service called Ajenti running on port 8000.
  • This configuration file leaks the username and password for logging into this application.

  • Following are the credentials for Ajenti Login page that is running on port 8000.
Username: root
Password: KpMasng6S5EtTy9Z
  • Login into the application and click on Terminal as shown in the following screenshot.

  • Click on New to start a new terminal.

  • We have now got terminal with root user directly. Which means we can get user.txt and root.txt right from this terminal

  • Hash for user.txt
  • Hash for root.txt
System owned!!

Share the fun!