MACHINE IP 10.10.10.137
NMAP SCAN
so let’s start our enumeration with port 80
as we are not getting any hint from there so let’s try directory search with dirsearch you can get this from github (click to get dirsearch)and then we use dirsearch,
and then we find the important results
so let’s visit to the sub-directory of the webpage
moving on /config.php we find some important credentials
http://10.10.10.137/config.php $dbHost = ‘localhost’; $dbUsername = ‘root’; $dbPassword = ‘Zk6heYCyv6ZE9Xcg’; $db = “login”; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die(“Connect failed: %s\n”. $conn -> error);
here we find useful credentials about the root
so lets see where we can use them,
with the dirsearch we find authentication at
/management , /login.php , /member
here the credentials don’t work which we got at the config.php
soo let’s see the nmap once again
here we see that there are 2 ports
8000/tcp open http Ajenti http control panel3000/tcp open http Node.js Express framework
when we move to there ports
let’s move to port 8000 Ajenti cms but sadly our credentials don’t work there too , so moving further let’s check what does port 3000 holds
here it says that we have to authenticate
so lets see how can we generate token for that i had taken help with the blog (click to get to blog)here we see that we can generate the token using CURL command so lets see how can me make our way to generate our token so with the help of that blog we get that there’s use of user and password so let’s try using config.php creds in CURL command
curl — header “Content-Type: application/json” \
— request POST \
— data ‘{“password”:”Zk6heYCyv6ZE9Xcg”, “username”:”root”}’ \
http://10.10.10.137:3000/login
so again the creds haven't worked here too , so what if we change username to admin or user instead of using root , lets see what we get using this
BINGO
we got the token :P
soo let’s see how can token help us in getting information using the blog we
curl -X GET \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTYxMzU2NzI0LCJleHAiOjE1NjE0NDMxMjR9.YFKaWwe1lmM1Mgm0KD_bZDGXV1iP2OL9n425PhoLuek' \
http://10.10.10.137:3000
here we see that we are authenticated now
so lets see what does 3000 holds again using dirsearch at http://10.10.10.137:3000
so lets try our CURL command on users using
curl -X GET \
-H ‘Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTYxMzU3Nzk4LCJleHAiOjE1NjE0NDQxOTh9.QJiXAw8mf4jNYTYTUEX4KsIX5uPn0K4huIFmAezamEw’ \
http://10.10.10.137:3000/userswe get the output as
so let’s try to move inside the directory and see what it holds inside the admin , yuri , Derry
curl -X GET \
-H ‘Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTYxMzU3Nzk4LCJleHAiOjE1NjE0NDQxOTh9.QJiXAw8mf4jNYTYTUEX4KsIX5uPn0K4huIFmAezamEw’ \
http://10.10.10.137:3000/users/admin
like this we can also get the password of other users all we have to do is changing admin to /derry , /yuri and we will get there pass tooo….
now let’s see where we can use them , now it’s time to re-memories the authenticate pages let’s try them all one by one
so firstly let start with
http://10.10.10.137/management we used derry user and password because he’s the Web Admin username — derry , password — rZ86wwLvx7jUxtch
moving ahead with config.php, there we find user and password but here we get 2 user (root, Administrator)and 1 password (KpMasng6S5EtTy9Z)
so lets try using these credentials at port 8000
after logging in select
FILE MANAGER > HOME > DERRY > USER.TXT (select edit option you will get the hash )and for root.txtFILE MANAGER > ROOT > ROOT.TXT (select edit option you will get the hash)
Thank you :P
