Luke — HackTheBox Machine Write-up

Reconnaisance

Nmap scan report for 10.10.10.137
Host is up (0.26s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.48
| Logged in as ftp
| TYPE: ASCII
| No session upload bandwidth limit
| No session download bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open http Node.js Express framework
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open http Ajenti http control panel
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Ajenti

Enumeration

Dear Chihiro !!As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of 
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies !
Derry
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword  = 'Zk6heYCyv6ZE9Xcg'; $db = "login";  $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
  1. Admin — Superuser
  2. Derry — Web Admin
  3. Yuri — Beta Tester
  4. Dory — Supporter
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NjEyNTU3LCJleHAiOjE1Njg2OTg5NTd9.9vap7KxTwdnfDiTSdBDl2dzLGTeH8s4rTr47Eus8lZw' http://10.10.10.137:3000/users/<name>

Exploitation

--

--

--

Internet noob.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DevOps 101: Container Registries

What is open source?

“Funslingers” Devblog #24 | The Exit Button

PostgreSQL EXPLAIN Explained

January 2018: GitHub Development Winners

3 Easy Steps to Keeping Koi Happy

Create a Landing Page Design using CSS framework: Sass Part 1.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mon

Mon

Internet noob.

More from Medium

TryHackMe: Gallery Walkthrough

Erlik Machine Writeup

HackTheBox — Meta write-up

TryHackMe : Source write-up