Nmap:
First thing we notice is the anonymous login allowed for the ftp service. This means we can login in to that service without a password. Let’s take a look
Login succesful!
Let’s see what we can get
So we found a file here. Let’s see what it says
So the developper left the actual code of website viewable on the site. That’s always a risk as if someone has you’re code, then can look for the holes. Or some juicy information like hard coded passwords etc. let’s try looking for it.
Let’s use a tool caled Nikto to do some further reconnaissance
This has some interesting information, a DB root password.
User: root
Password: Zk6heYCyv6ZE9Xcg
After some testings the root password doesn’t work for anything we have yet. Which means we’re still in searh for some foothold. Let’s look at the Node.js Framework
Let’s run dirb.
Login seems the most interesting link here.
Following link gives us some information on how to add tokens. To authenticate
As I understand it correctly, the login page is more a validation center for requests of the server. Here we should be able to get the admin token
Try requesting the token:
Hmm something seems wrong. Cannot POST… but we should use POST. Stupid mistake, forgot to add /login to the url…
Answer –> forbidden.
Forbidden may be just wrong password or username. Let’s try some other things.
So we got the token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MDMyNzA4LCJleHAiOjE1NTkxMTkxMDh9.7RLcvQeBQGyDlNS85s5Wh05ltiO3OiHCUimAZvgbuPg
Let’s try decoding this:
First part:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 –> {“alg”:”HS256″,”typ”:”JWT”}
Second Part: eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTU5MDMyNzA4LCJleHAiOjE1NTkxMTkxMDh9 –> {“username”:”admin”,”iat”:1559032708,”exp”:1559119108}
Third Part:
7RLcvQeBQGyDlNS85s5Wh05ltiO3OiHCUimAZvgbuPg –> got encrypted with a password first…
okay, won’t get much out of decrypting the token…
Now we must use this to connect to Node.js -> further reading in the article gives us 2 choices. CLI Based and browser Based. Let’s try CLI first
It says: Welcome Admin so that’s already good
Let’s try to get deeper: 10.10.10.137:3000/users
[{“ID”:”1″,”name”:”Admin”,”Role”:”Superuser”},{“ID”:”2″,”name”:”Derry”,”Role”:”Web Admin”},{“ID”:”3″,”name”:”Yuri”,”Role”:”Beta Tester”},{“ID”:”4″,”name”:”Dory”,”Role”:”Supporter”}]
maybe we can enter a user: 10.10.10.137:3000/users/Admin
Admin / WX5b7)>/rp$U)FW
Get all other passes too
Derry / rZ86wwLvx7jUxtch
Yuri / bet@tester87
Dory / 5y:!xa=ybfe)/QD
Awesome, got all users with all passes! seems like we got all juicy information there was to find in port 3000
Try to find some login forms where we can try this stuff
Runnign dirb to get all:
In management we can login using the Webadmin creds: Derry / rZ86wwLvx7jUxtch
Let’s look around here
Here we see another set of creds.
Root / KpMasng6S5EtTy9Z
When we scroll down we see it’s for ajenti portal on port 8000
Let’s try that
So it seems we are in the admin panel of the server now. logged in as root
which means we will be able to get user and root flags I think. let’s try find user first using the file manager
/home/Derry/user.txt
We try to open the file by clicking ‘Edit’ and we get this:
58d441e500e8941f9cf3baa499e2e4da
Found root too.
8448343028fadde1e2a1b0a44d01e650
Pentesting with Rival 