My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: CTF-like/Life-like
· Difficulty: Medium
· Community Notes: CTF-like
The recommended tools for this lab were:
· FTP Client
The following vulnerabilities were found:
· Anonymous Connection
· Token Bypass
· Cleartext Credentials
After connecting to the HTB network, I launched Nmap to scan Luke (10.10.10.137).
Identifying that Port 21 was using an anonymous FTP authentication, I logged in and reviewed the contents of the directory. The results returned another directory which contained a file named for_Chihiro.txt. I issued the get command to download the file to my local system.
Reviewing the contents of the file revealed the following:
After not finding any additional interesting information on the FTP server, I turned my attention to the Web Ports of 80, 3000, and 8000. I ran dirb and Nikto against all three ports.
With regard to Port 80, Nikto uncovered an interesting file named config.php as well as the Allowed HTTP Methods of POST. While dirb uncovered an interesting directory named /management.
So, I issued a wget to download the contents of the config.php as well as issuing the curl command. However, I was not able to successfully connect to the /managment directory.
Continuing with enumeration, TCP Port 3000 yielded a couple of interesting directories of /login and /users with Nikto.
So, I tried to connect to the /users directory and received an interesting error.
Finishing the initial enumeration of Port 8000, the only results that were interesting was the site itself.
JWT Token Bypass:
At this point, I continued to enumerate and got stuck. I started doing some research and noticed that another HTB user posted the possibility of JWT Token Bypass. In addition, there was a reference to an excellent article explaining JWT Token Bypass at the following:
With the hint in hand, it was a matter of figuring out the proper syntax and credentials to obtain a token.
Reviewing the config.php file from TCP Port 80, I used the credentials to attempt to login to http://10.10.10.137:3000/login in order to gain a token. However, that was not successful. So, I decided to swap various forms of administrative usernames until I was able to successfully login with admin.
After obtaining the token, I issued another curl command to log into the /users folder. To my surprise, the returned data was a user list.
Next, I decided to append the user name as another directory level to /users. Very cool. The credentials were revealed, and I continued the process for each user listed.
Having the credentials for the users, I decided to revisit http://10.10.10.137/management via a web browser. Based on the descriptions from the user list, I used the credentials for Derry to successfully authenticate.
Once authenticated, I was presented with the following index:
In reviewing each file, only the config.json file had interesting data of what appeared to be root credentials.
I tested the credentials on the TCP Port 80 login page, but was unsuccessful. However, I was able to authenticate to TCP Port 8000’s login page.
On the left-hand side of the Web Admin page, I selected the Terminal from the menu. I then clicked on the +New button to create a new terminal session.
I then clicked on the Terminal window to interact with it and confirmed the user and credentials used.
Knowing that I was root, I just had to find the flag; which was located in the /root directory.
With the root flag secured, it was time to find the user flag to end the challenge. So, I did a switch user to derry, and reviewed the contents of the user’s home directory to discover the flag.
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.