Skip to main content

HackTheBox - Valentine - Retired - Update

HackTheBox - Valentine - Retired - Update



Recon


I've been using threader3000 lately to do my recon scans. It does a staged scan, the first stage is a super quick up/down scan on all TCP ports. Then suggests an nmap scan based on the results of the open ports of the first scan. It also saves all the nmap scans out to a XML file which i like to convert to HTML to make it easy to read.


xsltproc ./valentine.htb/valentine.htb.xml -o ./valentine.html




Looks like we have just three open ports here.


Port Service Version
22 OpenSSH 5.9p1
80 Apache 2.2.22
443 Apache 2.2.22



And nmap thinks its a Ubuntu box.



Here is what we see on port 80


That logo is familiar….. But we will get back to that.


What about port 443?



Same thing but https….


So about that logo….


Not a whole lot of bugs get their own logo, but heartbleed does.


https://heartbleed.com/


CVE-2014-0160


"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."



Interesting..


Ok let's try to brute force scan the server to find any other folders or files that might be available to us.




Here is some of the output



So we have 3 new things to check out.


/dev/

/encode

/decode



Let's start with /encode.


Ok we have an input box that they will use to encode for us.. It's important here, that is says encode and encrypt…  Let's just put an "a" in there and see what happens.



a   is encoded as YQ==


I don't know about you but anytime i see a = at the end of an encoded string…. I think base64


In base64 encoding if the input is not the perfect amount of bytes it add equal signs to the end for padding.


Let's use our kali box to see if we decode YQ== as base64 if we get back an a


echo "YQ==" | base64 -d
a


Yup, so this site just takes your input and base64 encodes it… what about /decode?


It does the opposite, it takes your base64 encoded data and makes it back to ascii for you.





Ok what about /dev


Two files notes.txt and hype_key


What is in notes.txt?


To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Do not use the decoder/encoder until any of this is done.
6) Find a better way to take notes.


Some notes from the dev on what to fix. Okay what about the hype_key...



Looks like a bunch of hex.


Let's try and see if we can convert this.



https://www.rapidtables.com/convert/number/hex-to-ascii.html



Looks like, as its name suggests it is a key… an RSA Private key..


I saved this output to my kali box as rsa.key




Exploit


Let's look around for a heartbleed exploit we can leverage.


I found this github


https://github.com/mpgn/heartbleed-PoC


I did a git clone to my kali


And ran the exploit against valentine.htb


python2 ./heartbleed.py valentine.htb


SO backup………








We never really talked about heartbleed and what it does, basically what you need to know here is that it's a memory leak… sites that are using vulnerable version of TLS can have some of the contents of their memory exposed.



So, after this runs the POC will save any output of memory to a file named out.txt


python2 ./heartbleed.py valentine.htb


Let's check out our out.txt file and see what we might have gotten out of memory.


Looks like someone is trying to use the decode.php to decode a base 64 string… 


Let's help them out with that. :)


echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
heartbleedbelievethehype


heartbleedbelievethehype


I wonder if we can use that with the RSA key we found earlier to ssh to the box… The only issue really is we don't know what the username might be still…


Could be root,valentine,hype,heart,heartbleed or anything else.



I tried valentine first


You need to change the permission of the rsa.key to be less open or SSH will yell at us


chmod 700 ./rsa_key




Good news….. It looks like heartbleedbelievethehype is the passphrase for the key but unfortunately not a password for valentine.


Let's try other usernames





We finally hit pay dirt with hype ( the name of the key on the server) 





And we can get the user flag from hype's folder



Looking in the user's folder We can see that .bash_history is not empty as per usual on HackTheBox machines.


So let's 



hype@Valentine:~$ cat .bash_history

exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
exit
whoami
exit


Ok it looks like there are some tmux commands here that the user need help remembering how to use the --help is telling I think. Let's try executing the next command after the user looked for help


tmux -S /.devs/dev_sess 


We get dropped in a tmux session as root.






And it's pretty easy to grab our root flag from here.






Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more