Difficulty Rating:

Machine: Valentine
OS: Linux
IP: 10.10.10.79


This machine is vulnerable to Heartbleed vulnerability. Attacker was able to leak the memory and obtain SSH passphrase. Privilege Escalation was done by connecting Tmux to one of the sockets provided.


  • Nmap
# Nmap 7.70 scan initiated Tue Jun  5 16:20:21 2018 as: nmap -A -oN valentine.nmap -v 10.10.10.79
Increasing send delay for 10.10.10.79 from 0 to 5 due to 238 out of 791 dropped probes since last increase.
Nmap scan report for 10.10.10.79
Host is up (0.13s latency).
Not shown: 990 closed ports
PORT      STATE    SERVICE         VERSION
22/tcp    open     ssh             OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp    open     http            Apache httpd 2.2.22 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp   open     ssl/http        Apache httpd 2.2.22 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2018-02-06T00:45:25
| Not valid after:  2019-02-06T00:45:25
| MD5:   a413 c4f0 b145 2154 fb54 b2de c7a9 809d
|_SHA-1: 2303 80da 60e7 bde7 2ba6 76dd 5214 3c3c 6f53 01b1
|_ssl-date: 2018-06-05T10:51:05+00:00; -1s from scanner time.
5431/tcp  filtered park-agent
5862/tcp  filtered unknown
6009/tcp  filtered X11:9
8082/tcp  filtered blackice-alerts
9001/tcp  filtered tor-orport
9502/tcp  filtered unknown
15003/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun  5 16:21:12 2018 -- 1 IP address (1 host up) scanned in 50.69 seconds
  • Scan port 443 for Heartbleed Vulnerability

  • Nmap Scan with heartbleed NSE

nmap-heartbleed-scan

  • Dirbuster
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Jun 05 23:22:06 IST 2018
--------------------------------

https://10.10.10.79:443
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/
/index/
/dev/
/encode/
/decode/

Dirs found with a 403 response:

/doc/
/cgi-bin/
/icons/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/index.php
/dev/hype_key
/dev/notes.txt
/encode.php
/decode.php


--------------------------------

  • /dev/hype_key contains some Hex encoded data

dev-hype_key

  • Converting hex to ascii gave us the private key for SSH

hex-to-ascii-convert

  • Since nmap scan confirmed that port 443 is vulnerable to heartbleed attack. We could use heartbleed vulnerability to leak some memory.
  • Following PoC could be used for this: https://github.com/sensepost/heartbleed-poc

  • Let’s leak the information using the PoC:

heartbleed-poc

  • Check the dump for some useful information:

heartbleed-dump

  • There is base64 encoded payload for “text” parameter. After decoding we get a passphrase.

decode-password

  • Let’s SSH using the user hype and password heartbleedbelievethehype

ssh-login

  • Get the user key

user-key

  • Check history

history

  • We can see that there is socket used for Tmux. Let’s connect tmux to the socket by entering command:
tmux -S /.devs/dev_sess

root-key

  • Get root.txt
User and root owned!!

Share the fun!