HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Luke, is retired.
The walkthrough
Let’s start with this machine.
Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
The Luke machine IP is 10.10.10.137.
We will adopt the same methodology of performing penetration testing as we have used previously. Let’s start with enumeration in order to learn as much about the machine as possible.
As usual, let’s start with the nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE] «nmap -sC -sV -oA Luke 10.10.10.137»
As we can see, the ports that are opened are 21, 22, 80, 3000 and 8000. Let’s start the enumeration on them.
Let’s start with FTP. While enumerating, we can see that there is a .txt file. We collect that file on the local box. «ftp 10.10.10.137» «cd webapp» «get for_Chihiro.txt»
From the text file, it was evident that there are at least two users present, named Chihiro and Derry.
Let’s keep that in mind and move to other ports for further enumeration. The one below is for port 80. Nothing too interesting yet.
Moving to port 3000, we got a message about a missing Auth Token.
And finally, port 8000 hosts an Ajenti service. We tried the default username/password, but it did not work.
With all this, let’s start Gobuster and DIRB to enumerate the directories. We found the below directories with Gobuster. «gobuster -u http://10.10.10.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30»
Tried with DIRB and found below directories as well. «dirb http://10.10.10.137»
We can see that there is a /management directory also listed.
Hovering over the /management directory, it asks for username and password, which we do not have as of now.
Let’s enumerate more on the system with the PHP extension. We can see that it discovers config.php and login.php. «dirb http://10.10.10.137 -X .php»
Enumerating config.php, it looks like we got a username and password. We tried that in the /management directory, but it did not work.
Let’s enumerate more with DIRB on port 3000. We can see that there are login pages, but we need an auth as well. «dirb http://10.10.10.137:3000»
Let’s try to add the discovered credentials for our request to the login page on port 3000 by passing it as below. Below is the Burp request.
It looks like the auth was successful and in response, we got the token. Now let’s use this token and browse all the discovered directories under port 3000. Let’s start with /users.
So we got the user list, along with their role. Let’s enumerate more on this user with /user/
, as shown below. In response, we got the password.
User:Admin
User:Derry
User:Yuri
User:Dory
Per role, since the Derry role is Web Admin, let’s try this in the /management page.
And we are in. Below are the subdirectories under this page.
Let’s start to enumerate them. Below are the contents of config.json.
As we can see, we have the password for service on port 8000 (which is Ajenti), so let’s try this with user root.
And we are in. Super! Inside, there was a simple way to spawn a new terminal which looks like the service is running as root. We got directly landed into root.
Below is the root terminal.
Now we can easily enumerate to grab our flags. «pwd» «cat user.txt» «cat root.txt»
This was an excellent machine with a lot to think about regarding enumeration and connecting the dots. We will continue the series with more such interesting HTB machines.