HTB Valentine Write-up
みなさん、こんにちは!
So, I managed to solve the retired Valentine box from Hack the Box and decided to write a write-up about. You can always return to your write up if you forget something, its like a notes taking! Lets begin!
Abstract
The box teaches us how to detect and exploit the “Heartbleed” vulnerability which is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. More on that on this site. We get a weired looking hex string which actually is the id_rsa private key, converting it to ASCII and giving it necessary permissions, we try to login as user “hype” but get a password prompt on the private key. Exploiting the heartbleed vulnerability gives us sensitive password of the id_rsa. We log in successfully. After logging in, we see root is running tmux process on a definite binary. Simply exploiting that suid vulnerability gives us root.
Enumeration
As always we start with an nmap scan.
I first do a detailed scan :
nmap -v -sV -sC -T4 10.10.10.79
Nmap returned port 22, 80 and 443 open.
Then I ran a full port scan but this time without the default scripts. I did this because running default scripts and a full port scan would be very very slow. We can simply see what ports are open then use nmap to enumerate each port individually. You can find more such tricks here.
Here is the result of full port scan:
Looks like no other ports are open.
Port 80:
It says Apache is running on port 80 so lets go visit it. Also lets check if its php or not. This can be done by just typing <website.name>/html.php. If it return valid response then it is running php. This is a vital piece of information.
Also while we manually look at the website, lets brute force directories
Personally I prefer gobuster for directories and wfuzz for special files
Visiting the website we got this:
I attempted path traversal vulnerability but to no avail.
Moving on to gobuster and wfuzz:
A wild ‘dev’ appeared!!!!
Lets go on to that directory!
Honestly, notes.txt did not make much sense. But hype_key did!
we get a weird hex encoded string here. I had a big hunch that this is going to be an RSA private key. I converted first 7 characters and yes, it was the RSA file! Lets omit those spaces and use this to convert it to the RSA file!
Here is the original private key!
Lets try to login with it on the box using ssh. (remember to do chmod 600)
ssh -i id_rsa hype@10.10.10.79
But it asked for the rsa key password!
This is weird! I did not set any password for it! I tried to open the file and sure enough it wanted password. Then I realised that the user “hype” set up the password. So although you have the id_rsa key you won’t be able to login until you have the passphrase.
Port 443
Nmap retunrned the following for port 443:
Its running SSL. So lets just enumerate it with the nmap heartbleed script
nmap -v — script ssl-heartbleed 10.10.10.79 -p 443
SSL on port 443 is vulnerable to heartbleed vulnerability. So lets exploit it!
lets use that python script to see if we can have access to sensitive data behind the SSL.
Running the script we get a base64 string.
Decoding it:
Looks like we have he password.
Testing it against the id_rsa worked so lets go ahead and login via ssh
Exploitation
Login via ssh:
Cool, we are inside!
Escalation
Firstly lets look for SUID binaries;
Nothing that interesting. Lets check running processes
An interesting process is being run as root :
it seems tmux is running on /.dev/dev_sess. Theoretically if we just issue this command we will get root within the tmux
First lets see if we can use tmux within the box:
Looks like it is so lets issue the command:
STARBURST STREAM!!!!
Nice! We are root on tmux!
Conclusion
According to TJ Null this was an OSCP type box which is actually perfect for learning and trying out different things without getting into too many technical difficulties.
