HackTheBox Writeup: Luke

Luke was a medium rated box which was quite accurate for me. As I come from a networking/sysadmin background, some of the web oriented stuff was very confusing to me but hey, that's what I love about HTB - the opportunity to learn things without breaking the law or pissing off clients!

Nmap scan:

Anonymous FTP is low-hanging fruit so I checked that out first:

Let's see what that text file says:

That breadcrumb isn't much help at the moment so let's check out port 80:

Port 3000 needs an auth token of some kind:

Port 8000 has an Ajenti control panel:

There's a possible XSS vulnerability in Ajenti but it requires authentication so I decided to fire up gobuster to see what it finds:

Config.php often contains login creds so let's check that out:

Whoa, a root password??? Surely it can'be that easy.

Morgan Freeman: It was not that easy

I tried that password everywhere with zero luck. When stuck, it never hurts to enumerate more so I fired up dirb in case gobuster missed something:

'management' looks interesting - unfortunately it's password protected and the creds I found don't work there either.  I was stuck here for a good long while, desperately wishing I could go back in time and tell my younger self to learn web development.

After hammering at various things and failing, I took stock of the situation and thought about what the intended path would be. Bruteforce is almost never the way to go with these things and the creds I found had to be used somewhere...right?? Eventually I thought about port 3000 and its auth token message. After much googling and reading, I came across this article which was extremely helpful in understanding what I was looking at and how to get past it. Using the info in that article, it took a lot of experimentation before I got a curl command right to get a token:

Sweeeeeeet

During the initial enumeration, I ran gobuster on port 3000 and it came up with this:

Ugly screenshot from my Cherrytree notes

Going off that article again, more trial and error took place inside Burp before I got access to http://luke.htb:3000/users working:

So now we learn there are 3 users here: Derry, Yuri and Dory. Let's go check out their data:

Armed with these creds, I try them everywhere and eventually find that Derry's cred's work at http://luke.htb/management and see this:

config.json shows a root password in clear text:

These creds let me log into Ajenti:

Click on 'Terminal'

Then click on '+new'

Clicking on the black window yields a root shell and the root flag:

Can't forget the user flag: