HackTheBox - Valentine - Retired - Update

HackTheBox - Valentine - Retired - Update

Recon

I've been using threader3000 lately to do my recon scans. It does a staged scan, the first stage is a super quick up/down scan on all TCP ports. Then suggests an nmap scan based on the results of the open ports of the first scan. It also saves all the nmap scans out to a XML file which i like to convert to HTML to make it easy to read.

xsltproc ./valentine.htb/valentine.htb.xml -o ./valentine.html

Looks like we have just three open ports here.

Port Service Version 22 OpenSSH 5.9p1 80 Apache 2.2.22 443 Apache 2.2.22

And nmap thinks its a Ubuntu box.

Here is what we see on port 80

That logo is familiar….. But we will get back to that.

What about port 443?

Same thing but https….

So about that logo….

Not a whole lot of bugs get their own logo, but heartbleed does.

https://heartbleed.com/

CVE-2014-0160

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Interesting..

Ok let's try to brute force scan the server to find any other folders or files that might be available to us.

dirb https://valentine.htb

Here is some of the output

So we have 3 new things to check out.

/dev/

/encode

/decode

Let's start with /encode.

Ok we have an input box that they will use to encode for us.. It's important here, that is says encode and encrypt…  Let's just put an "a" in there and see what happens.

a   is encoded as YQ==

I don't know about you but anytime i see a = at the end of an encoded string…. I think base64

In base64 encoding if the input is not the perfect amount of bytes it add equal signs to the end for padding.

Let's use our kali box to see if we decode YQ== as base64 if we get back an a

echo "YQ==" | base64 -d a

Yup, so this site just takes your input and base64 encodes it… what about /decode?

It does the opposite, it takes your base64 encoded data and makes it back to ascii for you.

Ok what about /dev

Two files notes.txt and hype_key

What is in notes.txt?

To do: 1) Coffee. 2) Research. 3) Fix decoder/encoder before going live. 4) Make sure encoding/decoding is only done client-side. 5) Do not use the decoder/encoder until any of this is done. 6) Find a better way to take notes.

Some notes from the dev on what to fix. Okay what about the hype_key...

Looks like a bunch of hex.

Let's try and see if we can convert this.

https://www.rapidtables.com/convert/number/hex-to-ascii.html

Looks like, as its name suggests it is a key… an RSA Private key..

I saved this output to my kali box as rsa.key

Exploit

Let's look around for a heartbleed exploit we can leverage.

I found this github

https://github.com/mpgn/heartbleed-PoC

I did a git clone to my kali

And ran the exploit against valentine.htb

python2 ./heartbleed.py valentine.htb

SO backup………

We never really talked about heartbleed and what it does, basically what you need to know here is that it's a memory leak… sites that are using vulnerable version of TLS can have some of the contents of their memory exposed.

So, after this runs the POC will save any output of memory to a file named out.txt

python2 ./heartbleed.py valentine.htb

Let's check out our out.txt file and see what we might have gotten out of memory.

Looks like someone is trying to use the decode.php to decode a base 64 string… 

Let's help them out with that. :)

echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d heartbleedbelievethehype

heartbleedbelievethehype

I wonder if we can use that with the RSA key we found earlier to ssh to the box… The only issue really is we don't know what the username might be still…

Could be root,valentine,hype,heart,heartbleed or anything else.

I tried valentine first

You need to change the permission of the rsa.key to be less open or SSH will yell at us

chmod 700 ./rsa_key

Good news….. It looks like heartbleedbelievethehype is the passphrase for the key but unfortunately not a password for valentine.

Let's try other usernames

We finally hit pay dirt with hype ( the name of the key on the server) 

And we can get the user flag from hype's folder

Looking in the user's folder We can see that .bash_history is not empty as per usual on HackTheBox machines.

So let's 

hype@Valentine:~$ cat .bash_history exit exot exit ls -la cd / ls -la cd .devs ls -la tmux -L dev_sess tmux a -t dev_sess tmux --help tmux -S /.devs/dev_sess exit whoami exit

Ok it looks like there are some tmux commands here that the user need help remembering how to use the --help is telling I think. Let's try executing the next command after the user looked for help

tmux -S /.devs/dev_sess 

We get dropped in a tmux session as root.

And it's pretty easy to grab our root flag from here.