Introduction
In this walkthrough, we demonstrated common vulnerabilities in Lua programming including code injection, and performed a practical scenario using HackTheBox Luanne Machine.
What is Lua programming?
Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.
Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode with a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping.
Source: https://www.lua.org/about.html
Common Lua Vulnerabilities
When I’m looking at a web app that uses Lua, there are a few key vulnerabilities I always check for:
- Cross-Site Scripting (XSS): This is a classic web vulnerability. In Lua, it can happen when user input is directly printed to the screen without being properly cleaned. For example, if a website takes a parameter from the URL and displays it on the page, I can try to inject a script tag to see if it executes.
- SQL Injection: If the application is using Lua to connect to a database, there’s a chance it could be vulnerable to SQL injection. This happens when user input is directly added to a SQL query. By carefully crafting my input, I can try to run my own SQL commands.
- Local File Inclusion (LFI): This is a serious vulnerability that can allow me to read sensitive files on the server. In Lua, I can sometimes use a null byte (
\0) to trick the application into ignoring the intended file extension and letting me access files like/etc/passwd. - Code Injection: This is the most dangerous of the bunch. If the application uses the
loadstringfunction without properly sanitizing user input, I can potentially execute my own Lua code or even system commands. This is exactly what I’ll be demonstrating in the practical part of this video.
Hacking “Bluewhale”
Now for the fun part! I started by scanning the “Bluewhale” machine and found a web server running on port 80. After a bit of directory searching, I discovered a /forecast page that took a city parameter.
When I tried to mess with the city parameter by adding a single quote, I got a Lua error. This was a huge clue that the application might be vulnerable to code injection. After trying a few other things, I was able to confirm the vulnerability by using the os.execute function to run the id command.
From there, it was just a matter of crafting a reverse shell payload, URL encoding it, and setting up a listener on my machine. And just like that, I had a shell on the box!
After getting the initial shell, I did some more digging and found a password hash, which I cracked to get the password “iamthebest”. I used these credentials to access another service running on the machine and eventually found an SSH private key for the user r.michaels.
Finally, I was able to escalate my privileges to root by finding another password (“littlebeard”) and using it to switch to the root user.
Technical Commands Used
Here are some of the key commands I used in the terminal during this penetration test:
nmap: To scan the target machine for open ports.dirb: To find hidden directories on the web server.Bashdirb http://10.10.10.218 /usr/share/wordlists/dirb/common.txtcurl: To interact with the web server from the command line.ssh: To connect to the target machine using a private key.Bashssh -i id_rsa r.michaels@10.10.10.218gpg: To decrypt a GPG-encrypted file.Bashgpg --output /tmp/lua --decrypt backup.gpgtar: To extract a tar archive.Bashtar -xzf lua.tarsu root: To switch to the root user.
Video Walkthrough
