Luke, a FreeBSD box created by HackTheBox user H4d3s, was an overall simple medium-difficulty box. Rooting this host is mostly a matter of taking advantage of its sensitive information disclosure, its password reuse, and its over-zealous privileges that are available from the web host. This was the first box where I had rooted the box before getting user.
# Nmap 7.70 scan initiated Sun May 26 02:21:09 2019 as: nmap -vvv -sC -sV -oN nmap/luke 10.10.10.137 Nmap scan report for 10.10.10.137 Host is up, received echo-reply ttl 63 (0.13s latency). Scanned at 2019-05-26 02:21:10 IST for 215s Not shown: 995 closed ports Reason: 995 resets PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.15.103 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit | No session download bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3+ (ext.1) - secure, fast, stable |_End of status 22/tcp open ssh? syn-ack ttl 63 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3) | http-methods: | Supported Methods: GET POST OPTIONS HEAD TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3 |_http-title: Luke 3000/tcp open http syn-ack ttl 63 Node.js Express framework | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn't have a title (application/json; charset=utf-8). 8000/tcp open http-alt syn-ack ttl 63 | fingerprint-strings: | Help, Kerberos, LDAPSearchReq, LPDString, SIPOptions, Socks5, TLSSessionReq: | HTTP/1.1 400 Bad Request | Connection: close |_ Content-length: 0 | http-methods: |_ Supported Methods: OPTIONS 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.70%I=7%D=5/26%Time=5CE9AAE0%P=x86_64-pc-linux-gnu%r(So SF:cks5,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n SF:Content-length:\x200\r\n\r\n")%r(Help,42,"HTTP/1\.1\x20400\x20Bad\x20Re SF:quest\r\nConnection:\x20close\r\nContent-length:\x200\r\n\r\n")%r(TLSSe SF:ssionReq,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close SF:\r\nContent-length:\x200\r\n\r\n")%r(Kerberos,42,"HTTP/1\.1\x20400\x20B SF:ad\x20Request\r\nConnection:\x20close\r\nContent-length:\x200\r\n\r\n") SF:%r(LPDString,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20c SF:lose\r\nContent-length:\x200\r\n\r\n")%r(LDAPSearchReq,42,"HTTP/1\.1\x2 SF:0400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-length:\x200\ SF:r\n\r\n")%r(SIPOptions,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnec SF:tion:\x20close\r\nContent-length:\x200\r\n\r\n");
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun May 26 02:24:45 2019 -- 1 IP address (1 host up) scanned in 215.62 seconds
The initial nmap scan revealed a bunch of open ports:
The FTP server on port tcp/21 allows anonymous connections. There is only one file on it:
1 2 3 4 5 6 7 8
# cat for_Chihiro.txt Dear Chihiro !!
As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of the actual website I've created . Normally you should know where to look but hurry up because I will delete them soon because of our security policies !
The web application on port tcp/80 appears to be a very simple static page without much functionality. Port tcp/3000 looks like some sort of API that requires authentication. And tcp/8000 is running Ajenti, a server administration panel which also requires credentials.
Using gobuster on port tcp/80 the following paths are found (among others):
After some quick enumeration with sqlmap on the login portal, it seems like SQL injection is not the intended path. There are, however, credentials for the mysql database server’s root user on the site’s config.php page:
Unfortunately, we cannot use these credentials at the login portal here either. We can, however, enumerate the other web services on the box for open directories:
We can try to use these credentials in some other areas. Although none of these credentials are valid for the login portal from earlier (nor are they valid ssh credentials), Derry’s credentials are valid for the management page found earlier with gobuster on port 80: In that folder are 3 files, 2 of which we already know:
Requesting config.json reveals some Ajenti configuration: