Skip to main content

HTB - Valentine

alt

Basic Nmap scan

Nmap command: nmap -Pn -n -sC -sV -oA scan_boxs/valentine/nmap/10.10.10.79-d-scan 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.14s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_ssl-date: 2022-08-24T19:33:15+00:00; -1s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -1s

Open ports : 22,80,443

PORTSERVICEPRODUCTVERSIONEXTRAINFO
22sshOpenSSH5.9p1 Debian 5ubuntu1.10Ubuntu Linux; protocol 2.0
80httpApache httpd2.2.22(Ubuntu)
443httpApache httpd2.2.22(Ubuntu)

port 80

alt

Its loading an image file. gobuster has detected few interesting files below.

http://10.10.10.79:80/index.php            (Status: 200) [Size: 38]
http://10.10.10.79:80/index (Status: 200) [Size: 38]
http://10.10.10.79:80/dev (Status: 301) [Size: 308] [--> http://10.10.10.79/dev/]
http://10.10.10.79:80/encode (Status: 200) [Size: 554]
http://10.10.10.79:80/encode.php (Status: 200) [Size: 554]
http://10.10.10.79:80/decode (Status: 200) [Size: 552]
http://10.10.10.79:80/decode.php (Status: 200) [Size: 552]
http://10.10.10.79:80/omg (Status: 200) [Size: 153356]
http://10.10.10.79:80/server-status (Status: 403) [Size: 292]

Found folders /dev, /encode, /decode

probing dev

alt

/dev has few more files hype_key, notes.txt. Time to download an analyze the file.

alt

/notes.txt appears to be some form of todo list or notes taking.
alt

/hype_key file could be a hex encoded data.
alt

decoding the hex data to ascii
alt

This is a RSA Private Key for a user.

Trying to decrypt the rsa key ran into a road block. This require a pass phrase, which we might need further investigation. We will get back to this later.
alt

probing encode

This page encode ASCII to HEX
alt
alt

probing decode

This page converts HEX to ASCII
alt
alt

port 443

The nmap vuln scan has detected ssl-heartbleed vulnerability.

alt

Moving forward to heartbleed exploit.

Exploit heartbleed

Found python script on git for heartbleed exploit.

https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py

Executing the heartbleed.py, found an variable repeating multiple times. And it could be in base64 encoded.
alt

Decoding the text from base64
alt

This heartbleedbelievethehype could be the pass phrase we needed to decrypt the RSA key

decrypting RSA with openssl

openssl rsa -in hype_key_xxd -out hype_key_decrypt 

We have successfully decrypted the RSA key with heartbleedbelievethehype pass phrase.
alt

SSH connection

Usually RSA is saved as user_key naming convention. So, now attempting to connect to the box as user hype through ssh with the decrypted key.

alt

Issue with ssh, needs an ssh-rsa option add to the command

ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i hype_key_decrypt [email protected]

alt

User flag

alt

Privilege escalation

Looking for process run by root lead to tmux session.
alt

/usr/bin/tmux -S /.devs/dev_sess Examining the tmux session, tmux is accessing the file /.devs/dev_sess and it is a socket and it is owned by root and belongs to hype group. And user hype also belongs to hype group. Hence hype user should be able to execute the tmux session.

alt

alt

Exploit

alt

Dirty cow - todo

Since this machine is very old, it could be vulnerable to kernel exploit like Dirty Cow
OS Information:
alt

kernel exploits:
alt

We will go with github file. https://github.com/FireFart/dirtycow/blob/master/dirty.c

compile command:

gcc -pthread dirtycow.c -o dirty -lcrypt

alt