Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

After connecting to the HTB network, I launched Nmap to scan Luke (10.10.10.137).

Image for post
Image for post
nmap -A 10.10.10.137

FTP Enumeration:

Identifying that Port 21 was using an anonymous FTP authentication, I logged in and reviewed the contents of the directory. The results returned another directory which contained a file named for_Chihiro.txt. I issued the get command to download the file to my local system.

Image for post
Image for post
FTP
Image for post
Image for post
for_Chihiro.txt

Web Enumeration:

After not finding any additional interesting information on the FTP server, I turned my attention to the Web Ports of 80, 3000, and 8000. I ran dirb and Nikto against all three ports.

Image for post
Image for post
Nikto Port 80
Image for post
Image for post
dirb Port 80
Image for post
Image for post
config.php
Image for post
Image for post
/management
Image for post
Image for post
/login and /users
Image for post
Image for post
Token Error
Image for post
Image for post
Login

JWT Token Bypass:

At this point, I continued to enumerate and got stuck. I started doing some research and noticed that another HTB user posted the possibility of JWT Token Bypass. In addition, there was a reference to an excellent article explaining JWT Token Bypass at the following:

Image for post
Image for post
Token
Image for post
Image for post
User List
Image for post
Image for post
Admin Credentials
Image for post
Image for post
Derry Credentials
Image for post
Image for post
Yuri Credentials
Image for post
Image for post
Dory Credentials

Root Flag:

Having the credentials for the users, I decided to revisit http://10.10.10.137/management via a web browser. Based on the descriptions from the user list, I used the credentials for Derry to successfully authenticate.

Image for post
Image for post
Login
Image for post
Image for post
/management
Image for post
Image for post
config.json
Image for post
Image for post
Login
Image for post
Image for post
Web Admin
Image for post
Image for post
Web Admin
Image for post
Image for post
Root Connectivity
Image for post
Image for post
root.txt

User Flag:

With the root flag secured, it was time to find the user flag to end the challenge. So, I did a switch user to derry, and reviewed the contents of the user’s home directory to discover the flag.

Image for post
Image for post
user.txt

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store