Luanne is a machine on the HackTheBox.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article will show how to hack Luanne box and get user.txt and root.txt.
First, I used NMAP to Scan the open ports and see if there any port is open. As we can see, the open ports are: 22, 80 and 9001.
Then, Navigate to the following URL. Observe that obtained an endpoint.
Use Gobuster to enumurate the endpoint, and finally, I identified a valid endpoint:
Hack Luanne Box
The City parameter is vulnerable to command injection. I can samply execute OS command by naviagate to the following URL.
Due the the OS is not a standard Linux OS, and there are only limited command available. I then find out “python” location by using find command.
Then, I created a python reverse shell, and host a HTTP server locally.
Download the reverse shell to /tmp folder by navigating to the following URL
Finally, I gained a reverse shell by navigate to the following URL.
Execute following command to obain open ports. Observe that the port 3001 is open.
There also is a .htpasswd file
After crack the
.htpasswd file, I gained the following credentials:
Execute following command to visit the port 3001 website:
curl -v --user webapi_user:iamthebest http://127.0.0.1:3001/
Observe that the server is running bozohttpd as shown in the screenshot below:
According to this Article, there are several vulnerabilities on this application (CVE-2010-2320,CVE-2010-2195). Attackers are able to visit an user’s home folder by providing a “~”.
Try to access
r.michaels home folder by executing following command.
curl -v --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/
Observe that successful accessed as shown in the screenshot below:
id_rsa file, and then login as
I obtained the user.txt file.
After enumuration, obtained a backup file: /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc
Tried openssl, but not work. Then, I used following command to decrypt it:
netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/1.tar.gz
Observe that decrypt successfully as shown in the screenshot below:
Then, identified another .htpasswd file in the tar file.
After cracking the hash, obtained antoher credential:
doas configuration, obtained that the current user is able to run command as root.
Then, using above credential and execute following command to swap to root uesr.
doas -u root /bin/sh
There are more HackTheBox Writeup.