Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Valentine Linux

Published on 16 Nov 2019
Nice box that teaches you how to exploit Hearbleed. tmux for root :)

Recon

Nmap scan

Quick_10.10.10.79.nmap 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.026s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

We find the site is vulnerable to Heartbleed attack

| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
software library. It allows for stealing information intended to be protected by SSL/TLS
encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of
OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems
protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise
encrypted confidential information as well as the encryption keys themselves.

We run sslyze just to corroborate

CHECKING HOST(S) AVAILABILITY
 -----------------------------
 10.10.10.79:443 => 10.10.10.79:443
 SCAN RESULTS FOR 10.10.10.79:443 - 10.10.10.79:443
 --------------------------------------------------
 * OpenSSL Heartbleed:
 VULNERABLE - Server is vulnerable to Heartbleed

Dirbuster locates a directory called /dev/ that contain a hype_key file We make use of cyberchef and use the option magic and we get a RSA-AES-128 key we save it as hype.key format and we will use it later with SSH

Exploitation Heartbleed

Since we know the website is vuln to heartbleed we quickly google “heartbleed python github” We use the script with the target IP and the number of iterations we want the script to run “-n 30”

After reviewing the ouptput we quickly notice a base64 string that repeats a lot so we copied and decode to get a passwd.

aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

heartbleedbelievethehype

At this point is pretty clear that our path to exploitation is through SSH as we have a ssh key file and a password to use We proceed to ssh into as user hype ```chmod 600 hype.key ssh -i hype.key hype@10.10.10.79

- NOTE:for some reason doing a 755 on hype.key I would get a warning message that was stopping
from login.

![](https://lh3.googleusercontent.com/_zKt2aRvMs2KHDFLESfBlCCoACOGFOPDvB-3R0a2PH6Eu8QHmBA07YuTIHKYvbKLrRv3dt4uBDaeqYc5pa2jVpuszSU0A-LxjDj2sfREogdMAn5Yo7E0VVROvqO9heKOdzKJgAzGklV-aVm_5vhiaENMy18tpHd02-sgzuEcwegJFi7bavSqSV1XtXmUZDUXg3Id_-mTd1vmwOdOiRLmZfO_BLh_yTd0rLT9H6aSNZWSOjqInSikze3T25Q1p8zXJSJ8Ulw8AZhyTrVbtAFmIAZX4VADhcFsSprYtGOfBtlOerRj-MJZ1oTQn-QIPZmFgIA7v_2EiOO8X96o7d5iiBwCdNtVeG9KEev9XOVrEKTNSD5EVFcHSQZItB4v_XYBL6AMDSLefYlIJpYd7AwjGwK81-pjwG_CDaA94A5LaddlsicGos0uPSp8KjW_vSam-Exsw-Awp7LPdzIpPx6LVZ7J7cc8j6knC1G-QJlTSz0heSuWYFVvxkaiEJBOhFUBYJF-c85jKJG267kC7QObkTr6SbweMGhPH8Hep__q4Dn-rGagr4vBug47EpOhJIAbZqhBLKq1gpU_MBZ6rQj44hVilAGkeUwE6z_HxlFf0zSdT4QL92cYKwxFPmEL6QzykH3o9j4DybFRfE0lX09P3nvW2rLUo-llNceaDdyDUlZzs2DOlcs_TYE=w688-h269-no)


# Privelege Escalation
We cat the bash_history file and we find the following:
![](https://lh3.googleusercontent.com/g74xJ8auQLCd5RNZUhBtlpxKVAFbGRIJDQTiGlXXRGX-tawHKllm64d7JygPmM7NhyItTR9MTzMqBSsFd5CVDG9oaMFtDewYc-uLeMSkLXDOK61LzSXcPzNTUlJW2jCXQ8naBB9ZrGDMSqvTRCOQtGVlnneIHGWQrluVe_rfanJ71pWtm_NEhX8T0hf0Bz9LOC0tUd-vRAa5e7cA7dILikjQOTVa39rZr7D_VtJ67a85QmFBuV9cMYTO38QOYyq_r7riifW-_9VbRy5B0bFcjCzdpmHy-6c706HUccNrw_pX7HwJ-STwEvVRy7yA53PX_n5CITDF4lu7he1d0fd_Je9Vcr-KlSUslJZxBSIbVPMdxeCpgZM_Oe7SJXdWn0SA9JY69YmntaZKxhmPzUTHgc9jI540rdvbKTyniWpD9-u_bLtsu4FX66j7kUufaYqI2Tbl8VJQebhkwMZZ0S6CJnczel8yi6R_dKiicmCSuideze3ZivYybwFRUQWn4Oik0lQdM-1koo9xUgVBw9nVclgFI_Nphnqbd6Cj1rYPj0y6k6I7-wNrQ3HEKCT4Bi84JpWE2DL90ezrzcX5RDLxhQjYqelQ6IhHqYc7RvgQsvz37I1masnVx3mBSUdtuBpOcGXwUgMohXovPbUe8To8gxfufa4xGcBV4zI_HtLH5TWfuggEfWGwnUA=w474-h499-no)

```ruby
exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess

There is a shell program called tmux owned by root

but with group permission set with “hype” to which we are part of it so we execute

tmux -S /.devs/dev_sess

and we get ROOT!

FLAGS

USER  "e6710a5464769fd5fcd216e076961750" 
ROOT  "f1bb6d759df1f272914ebbc9ed7765b2"

Related posts