Hello and welcome to another Hack the Box.EU Challenge. Todays machine name is "Valentine" which has the heartbleed bug. I thought I’d post a writeup of how I got to root on this box. So let's get started.
OS: Linux
IP: 10.10.10.79
Enumeration:
We start of by running an nmap scan which reveals ports 22, 80 and 443 open.
I visited the website using the IP's (firefox 10.10.10.79:80 and firefox 10.10.10.79:443), but they returned a homepage with no hyperlinks. The html source code was a dead end as well.
I ran gobuster against both web service ports and port 443 yielded a /dev directory which seemed interesting. Port 80 yielded nothing.
Since port 443 is open, I did more enumeration with ssl scan and got an output for a Canonical name (valentine.htb) and that the machine was vulnerable to heartbleed. Nmap reveals the same (nmap –p 443 --script ssl-heartbleed 10.10.10.79). You can read more about how the server responds to client request hence heart bleed is able to be exploited on heartbleed.com.
Upon visiting the /dev directory, I find two files: hype_key and notes.txt. Opening both reveal a rsa_key (with username hype-> hype_key) and notes respectively.
Burp Suite's decoder can also be used to decode above hex into plain text and verify's it's a RSA private key. We remove spacing using the sed command and give the following persmissions: chmod 600 hype_key
Exploitation:
We run a searchsploit for heartbleed in kali and get a couple of exploits but chose the memory disclosure exploit.
We run the 32764.py exploit and we get to see a fragment of a HTTP request to decode.php. The text parameter contains a base64 encoded string which when decoded is a password "heartbleedbelievethehype".This could be a passphrase to use in conjuction with the ssh key to login to SSH.
We use this key to SSH into Valentine.
Privilege Escalation:
We run LinEnum.sh and see an interesting running process which is also on the bash history: /usr/bin/tmux -S /.devs/dev_sess. Googling "tmux" from bash history shows that can connect to these files and get a interactive shell. We run tmux along with the files to hop on that tmux session. We run the command "tmux -S /.devs/dev_sess" and get root and the root flag!
Since this is an old kernel (Ubuntu 2012), You can also use the dirty cow exploit to get root. Refer to the Optimum video on how to use dirtycow
Comments
Post a Comment