twitter

Hack The Box: Valentine

Difficulty: Easy

Machine Creator: mrb3n

Tools Used:
NMAP
Gobuster
Python

Network Enumeration
Let’s start with a quick NMAP scan to discover open ports

nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.79


The quick scan presents us with three open port SSH, HTTP, and HTTPS.
Due to this being a CTF machine ssh will not be vulnerable so let’s start with ports 80 and 443.

Web Directory Enumeration
Let’s use Gobuster to search for directories.


Gobuster discovered two directories /index and /dev.

HTTP Enumeration


Browsing port 80, we are given just an image and nothing else.

If we browse the directories from the Gobuster scan, we can see a couple of files in the dev directory.


If we open hype_key, we see something encoded in hex.


We can use an online hex decoded, and it revealed a private RSA key.


Looking at the SSL cert, it shows valentine.htb. Sometimes going to the domain name this can make a difference do to URL bindings. Let’s add this domain name to our host file “/etc/hosts.”


In this case, browsing to http://valentine.htb made no difference. However, this is still good practice.


Since we do have an SSL certificate, let’s see if there are any security vulnerabilities. We can use Nmap SSL scripts to check for any exploits. We can search for SSL scripts in the Nmap scripts directory using ls and filtering using grep.

/usr/share/nmap/scripts/ | grep “ssl”

 


After going through the scripts, we can see that this server is vulnerable to SSL-heartbleed attack

nmap –script=ssl-heartbleed -p 443 10.10.10.79

If we look back at the image in the website, this can hint to the vulnerability.

Exploitation
There is a Metasploit module for heartbleed but let’s do this exploit manually. We can download a python script from GitHub that will exploit heartbleed.1

https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py


Running the heartbleed.py script we can see a base64 hash $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==.


I’ve decoded the base64 encoding and getting ‘heartbleedbelievethehype.’


Piecing everything together now lets ssh into Valentine. Using the file RSA private key “hype_key,” the passphrase “heartbleedbelievethehype,” and user hype (as in hype_key) we now have user access to Valentine.

User.txt

We can read user.txt as user hype.

Privilege escalation


Using “ps aux,” we can see that a tmux process is running as root. Incorrectly configured tmux is vulnerable for privilege escalation.

tmux -S /.devs/dev_sess

Connecting to the root tmux session we now have a root terminal.

Root.txt


Having root shell we can read root.txt