Skip to content

Hack The Box — Valentine Writeup without Metasploit

Hack the box easy machine Valentine. Initial foothold was from heartbleed and then privilege escalation was done using tmux. Enough said let’s start with nmap

Checked out Port 80 and 443 had the same thing.

A lady screaming with a bleeding heart. Kind of gave away what is was about I guess. But as usual if its web enumeration we have to do gobuster.

Gobuster gave away a lot of directories. Not a lot but yea enough to figure out some more things we need.

we found a key and notes.

Let’s decode the key. It is HEX. Search google, there will be lots of decoders. After decoding the key paste it in a file and save the key. you need to change permission of the key or else it will nag about how everyone can access the key and bla bla so better do a chmod 400 keyname

so we need a passphrase which we don’t have at the moment. let’s scan web again since it was kind of obvious

root@kali:/usr/share/nmap/scripts# nmap --script vuln 10.10.10.79
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-26 06:44 EDT
Nmap scan report for 10.10.10.79
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
|clamav-exec: ERROR: Script execution failed (use -d to debug) 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' | /index/: Potentially interesting folder
|http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) 443/tcp open https |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' | /index/: Potentially interesting folder
|http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE | Risk factor: High | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h | does not properly restrict processing of ChangeCipherSpec messages, | which allows man-in-the-middle attackers to trigger use of a zero | length master key in certain OpenSSL-to-OpenSSL communications, and | consequently hijack sessions or obtain sensitive information, via | a crafted TLS handshake, aka the "CCS Injection" vulnerability. | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 | http://www.cvedetails.com/cve/2014-0224 | http://www.openssl.org/news/secadv_20140605.txt
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://www.openssl.org/news/secadv_20140407.txt
|_ http://cvedetails.com/cve/2014-0160/
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_sslv2-drown:

I guess we have heartbleed. leat’s search for heartbleed exploit.

Two of those python scripts didn’t work So I guess it’s time for google. I really want to do this one with metasploit, I know that it will be really easy but still have to stick to the rules. Found an exploit

https://gist.github.com/eelsivart/10174134 It was a python script which can get the key. let’s hope that’s how it’s gonna be. After executing the script python exploit.py 10.10.10.79 got a base 64bit encoded text

We need to decode that text and see what we have

hoping that it’s the pass for ssh. As before we can try to login with the pass that we got from heartbleed ssh -i hypekey hype@10.10.10.79

Privilege escalation. I was a bit dissapointed cause I wanted to try out https://github.com/diego-treitos/linux-smart-enumeration linux smart enumeration which didn’t work for some odd reason.

Left it and went with linpeas. which is by the way an excellent tool no doubt about it. I just wish it would give a nice text file with everything in it. Anyway found something interesting as soon as it started running.

tmux was running as root. and it’s yellow. I have never seen the later part. Felt like running that and that was it tmux -S /.devs/dev_sess gave away a root shell.

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: