Luanne Box Writeup Walkthrough Htb Hackthebox – [HTB] – HackTheBox
This article shows how to hack the Luanne box and obtain both user.txt and root.txt.
Introduction
Luanne is a machine on the HackTheBox.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article will show how to hack the Luanne box and get user.txt and root.txt.
Enumeration
First, I used NMAP to scan the open ports and see if there are any ports open. As we can see, the open ports are 22, 80, and 9001.
Then, navigate to the following URL. Observe that I obtained an endpoint.
http://10.129.121.38/robots.txt
Hack Luanne Box
Obtain User.txt
The city parameter is vulnerable to command injection. I can simply execute an OS command by navigating to the following URL.
|
|
For example:
|
|
Due to the OS is not a standard Linux OS, and there are only limited commands available. I then find out the “python” application location by using the “find” command.
|
|
Then, I created a python reverse shell, and hosted an HTTP server locally.
Download the reverse shell to /tmp folder by navigating to the following URL:
|
|
Finally, I gained a reverse shell by navigating to the following URL.
|
|
Execute the following command to obtain open ports. Observe that port 3001 is open locally.
|
|
There is also a .htpasswd file.
After cracking the .htpasswd
file, I gained the following credential:
Username: webapi_user
Password: iamthebest
Execute the following command to visit the website that hosts on port 3001:
Observe that the server is running bozohttpd as shown in the screenshot below:
According to this Article, there are several vulnerabilities on this application (CVE-2010-2320,CVE-2010-2195). Attackers are able to visit a user’s home folder by providing a “~”.
Attempted to access r.michaels
home folder by executing the following command.
|
|
Observe that successful access as shown in the screenshot below:
Download the id_rsa
file, and then login as r.michaels user
.
I then obtained the user.txt file.
Obtain Root.txt
After enumeration, I obtained a backup file: /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc
Attempted to decrypt it by OpenSSL,, but it did not work. Then, I used the following command to decrypt it:
|
|
Observe that decrypt successfully as shown in the screenshot below:
Then, I identified another .htpasswd file in the tar file.
After cracking the hash, I obtained another credential:
Username: webapi_user
Password: littlebear
Check the doas
configuration, and obtain that the current user is able to run commands as root.
|
|
Then, using the above credential and execute the following command to swap to root user.
|
|