Posts Hack The Box: Valentine write-up
Post
Cancel

Hack The Box: Valentine write-up

Hack The Box: Valentine machine write-up

The following box was fairly easy so this will be a short write-up. Ip address of the machine: 10.10.10.79.

Enumeration

First of all, I run nmap to see services running:

1
$ nmap -sC -sV -oA nmap/initial 10.10.10.79

I get the following output:

Result of nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.01 scan initiated Fri Jul  6 18:48:57 2018 as: nmap -sC -sV -oA nmap/initial 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.054s latency).
Not shown: 991 closed ports
PORT      STATE    SERVICE       VERSION
22/tcp    open     tcpwrapped
80/tcp    open     http          Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp   open     ssl/http      Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2018-07-06T16:49:27+00:00; 0s from scanner time.
1594/tcp  filtered sixtrak
3268/tcp  filtered globalcatLDAP
5440/tcp  filtered unknown
9877/tcp  filtered unknown
49155/tcp filtered unknown
49156/tcp filtered unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul  6 18:49:33 2018 -- 1 IP address (1 host up) scanned in 35.44 seconds

So I head over port 80 and check the webpage, but it’s only an image.

Image served on port 80

Img

I checked exif, strings and binwalk to check if there was anything on it but no success. So then I start DirBuster.

Result of DirBuster scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Fri Jul 06 14:58:12 PDT 2018
--------------------------------

http://10.10.10.79:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/index/
/
/dev/
/encode/
/decode/

Dirs found with a 403 response:

/cgi-bin/
/icons/
/doc/
/icons/small/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/index.php
/dev/hype_key
/dev/notes.txt
/encode.php
/decode.php


--------------------------------

Something interesting. First of all, I check the dev directory. On notes.txt I discover some notes the user of the machine left:

1
2
3
4
5
6
7
8
To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Makes sense because we found the encode and decode php scripts as well with DirBuster.

Then, I check hype_key, which turns out to be some hex characters. I decode them and obtain an RSA private key:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

However, as we can see, it’s encrypted, so we will need to find a passphrase in order to decrypt it.

I tried to exploit both encode.php and decode.php but couldn’t find anything, so I decided to look back at the image. And after some googling I found that the image is a hint making a reference to the heartbleed bug.

Vulnerability

So I download a python script, ssltest.py, which should tell me whether the box is vulnerable or not.

Output of ssltest.py

Img

So once there, we fire up metasploit with msfconsole:

Img Img

And looks like we found a leak: $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==. We decode the base64 string which becomes: heartbleedbelievethehype. I was 99% sure it was the passphrase of the RSA key, so I tried it and it worked.

Decryption of key

Img

Hence, we just have to guess the user to get ssh access to the box. Based upon the name of the key file, which was hype_key, I thought it could be hype.

SSH access with key and root hash

Img

Root

Once in, I ran the usual linenum.sh after having wget’ed it from my local machine. Interestingly, it revealed that .bash_history contained some previously typed commands, among these tmux -S /.devs/dev_sess. That command restores a previous tmux session and, unfortunately for the user of the machine, it was owned by root. So that’s how we gain a root shell.

Tmux window

Img

If we wanted an easier access, we could just type passwd to set a new root password and then just log in to root through ssh with our new password.

Diego Bernal Adelantado

This post is licensed under CC BY 4.0 by the author.