Luanne- Hack the Box
Summary
Luanne was the first NetBSD box on Hack The Box. Fuzzing landed us to Lua code injection to get a shell. We will get credentials for a webserver listening on localhost and find an SSH key hosted there to get to the second user. In the privilege escalation. Using netpgp , we can decrypt an encrypted tar backup file that contains the password for the user r.michaels, who is able to execute commands as root, using the command doas
Scanning and Enumeration
Only 3 ports are open.
Visiting on port 80. It is asking for the password.
Robots.txt reveals the /weather directory.
But the weather directory is not accessible.
We enumerated more via ffuf and found the forecast directory.
Visiting http://10.10.10.218/weather/forecast returns a raw JSON payload with a message that a city is required, and a hint on how to list them:
You can list the city names http://10.10.10.218/weather/forecast?city=list
Lua code injection
We have tried to identify the code injection by sending single quotes.
#Command
$ curl -s “http://10.10.10.218/weather/forecast?city=' "Error:
<br>Lua error: /usr/local/webapi/weather.lua:49: attempt to call a nil value
We intercepted the request in the burp suite and changed the parameter.
We used one linear reverse shell script. Encoded in base64 format.
We got a reverse shell but we can’t read the user flag.
In the home/user directory, we found .htpasswd file.
I used a windows machine to crack the hash. We got the password iamthebest
In the home directory, we can see the username is r.michaels.
We ran the ps command on the shell. There was an interesting line. That shows r.michaels user was running /usr/libexec/httpd with commands.
Based on that information, it seems as if a web server is being served on port 3001:
r.michaels 185 0.0 0.0 34996 2000 ? Is Sat06PM 0:00.02 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/wwwTo make sure that port 3001 is running. We used netstat –an command. We can see the following output.
We used the curl command to authenticate to the application. We retrieve the user’s private key.
We saved the key into id_rsa file and give the permission 600.
#Command
$ ssh -i id_rsa r.michaels@10.10.10.218
We successfully got ssh login and the user flag.
Privilege Escalation
We found an interesting file called devel_backup-2020–09–16.tar.gz.enc inside backups on the r.michaels directory.
After some google search. I found the method to crack .enc file. NetBSD use netpgp to decode .enc format file.
Command:
$ netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/devel_backup-2020-09-16.tar.gz
reference: https://man.netbsd.org/netpgp.1
Again we got the .htpasswd file.
We got another hash but this is different from the previous hash.
Cracked that hash in my windows machine and found the password littlebear.
We can’t use the sudo command to switch the user. After some google search, we found that doas is the command to switch the user.
We used the doas command and provided the password we crack (littlebear).
#Command
$ doas -u root /bin/sh
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842
