In this post, i would like to share walkthrough on Luanne Machine.
This room is been considered difficulty rated as Easy machine
Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s open the browser and straight into the website interface.
We have been asked to key-in the password to see what is stored inside.
When I key-in the wrong credentials, the website has directed me to an unauthorized page which also provides information on 127.0.0.1:3000 at the bottom.
Let’s see the robots.txt file that mostly all the websites should provide.
Let’s go to the /weather/ directory which robots.txt informs us that the directory is been disallowed. We found a “Not Found” page which is very disappointing for me.
From the output that we see, i can presume that city=list is a thing so let’s try to check the location
Gaining Access to Luanne
We might be able to use the information that we got here to our advantage.
Firstly, we can start the nc listener so that we can retrieve the reverse shell connection back to us.
From my observation of the web interface, I notice that the system is using lua service, and let’s exploit that to take advantage of lua
From the finding that i found, we need to encode the command into base64
Now, we have a connection back and sadly we cannot upgrade the shell. As a result, we will have to use the basic and simple shell for this machine.
From the output above, we know that we are in _httpd privileges access.
Let’s see on the current directory if there’s anything that we can use later. I did notice that .htpasswd is saved there.
So, let’s see the content of the file
We know that the password has been hashed into md5crypt. For us to get the password, we need to decrypt it with john the ripper
I got the password but don’t know where the password can be used into.
Let’s try it on the website itself and see if it works like charms!
Wuhuu, it works! However, there’s nothing that we can use for further exploitation.
Obtaining the shell on the Luanne Machine
Let’s see any users that we can use for privilege escalation. I notice that r.michaels is there in the user list.
So, let’s access the r.michaels directory to get the user flag (if it’s stored there)
Sadly, we cannot access the r.michaels directory at all. I was shocked and lost for a moment there.
After thinking a while and looking back at the Nmap result, there’s ssh service open on the machine and let’s get the ssh id_rsa key that we might be able to use.
I try to get the id_rsa on the attacker’s machine but the progress is a failure. Let’s try the same command on the target’s machine and if that doesn’t work, I need to think of another way to penetrate the machine
Maintaining Access to Luanne machine
Luckily for me, the command work on the target’s machine. We need to copy and paste the id_rsa into my attacker’s machine so that we can ssh into the machine via id_rsa
Once we completed the copy-paste activity, we need to give permission to the id_rsa by executing chmod 600 id_rsa
SSH access to the Luanne Machine
We have successfully accessed the machine using the id_rsa that we retrieve just now.
Let’s see on the current directory if there’s anything that we can use later.
We found the user flag over here and slap the flag into the “Submit the flag” Button
Let’s find anything that we can use to get root privileges and access
Escalate to Root Privileges Access on Machine
There’s nothing that we can use here.
How stupid of me not to be aware of the backup folder that resides in the /home/r.michaels/
Now, let’s retrieve back the backups that have been saved there.
Before that, i make some research on any tools that help us with this
The information gathering process (research) have taken around 2 hours that lead to netpgp tools
Any further information on netpgp can be found here
From the information that shown on the website, we can use the command netpgp –decrypt devel_backup-2020-09-16.tar.gz.enc –output=/tmp/devel_backup-2020-09-16.tar.gz
I have successfully restored the backup, but it only appears for a few minutes due to backup activity.
We need to extract the backup and find the next hashes within those files to escalate to the root
I found another .htpasswd file in the backup folder.
We got second hashes to crack
I have found a dead-end when trying to crack the hashes. For a sanity check, i must ask around about the hashes or tricks to pass the cracking process.
I got help from fmlbro where i receive a piece of good advice from him.
Thumbs up for that!
After a couple of hours trying to crack the hashes, i did find the password that we can use to access root. Before that, we need to execute doas -u root /bin/sh for. root privileges escalation
For us to read the root flag, we can go to /root/ directory and open the file by executing cat root.txt
Happy Learning Guys!