Hack The Box — Valentine
Valentine is a Medium level Linux machine on Hack The Box.It is also OSCP like.Honestly the part for getting the low level shell and ssh username was very tricky.In this box, we learn about an exploit called Heartbleed and we finally prvilege escalate using an active root session in tmux.
we find port 22,80 and 443 open after doing a full port scan. Now the webpage at port 80 has a picture of a girl and a heart dripping with blood.This is an indication to heartbleed exploit which we will use later.We do not find anything useful in the source code.
Port 443 has nothing useful on the webpage
Lets find hidden directories using dirsearch
Lets check out the files and other directories as well
hype_key looks like it has hexadecimal values,we can try decoding it later
notes.txt hints us that the encode and decoder might be useful
The encoder and decoder works pretty normally.I did try to check for command injection but that wont work.It simply encodes and decodes.
Lets convert the hype_key’s hexadecimal values to plain text
And Volia ! it looks like an ssh key so save it in a file and name it as hype_key or id_rsa .Make sure to give it chmod 600 or chmod +s permission.
Now, i did try to ssh to the target using the key however i failed.I tried connecting to ssh through a username called valentine.However that didn’t work.Finding the correct username seemed very tricky.Also it asked for a password to decrypt the key.I tried running:
ssh -i hype_key valentine@targetip
There is NO user called “valentine” and Later i found out that we need to use heartbleed exploit to find the correct password for the key and the username will be “hype” (i will explain this soon)
HEARTBLEED (CVE 2014–0160)
Heartbleed is a vulnerability in OpenSSL and using the buffer overflow exploit, which sends a malicious request to the server and dumps critical data from the webserver.To discover it, i used nmap’s vuln script-
AND SURE ENOUGH, IT IS VULNERABLE TO HEARTBLEED !!! I did try using the exploit from explot-db however the output was not easy to read.Later i found out this exploit from github which is written in python.
DOWNLOAD LINK- https://gist.github.com/eelsivart/10174134
The usage is pretty simple as well
Lets use the exploit and loop 10 times (-n)
If we scroll through the results, we find some interesting base64 encoded text
Lets decode it in /decode.php or even through any website and we find heartbleedbelievethehype this can be the password for hype_key (our ssh key)
And sure enough, when i tried to open the hype_key as it asked for password, i used it and was able to unlock the key !!!
FINALLY lets connect to ssh.For password, we will use the username hype because if you remember, the original name of the file was hype_key moreover the password we found hinted us to believe the hype.
I transferred LINPEAS to the target and ran it.The most critical findings which were linux version and tmux session were highlighted in yellow-red.I will cover both ways to privilege escalate
1) USING TMUX SESSION
tmux is a terminal multiplexer: it enables a number of terminals to be created, accessed, and controlled from a single screen.
It’s essentially a shell that is owned by root! So if we can enter this active tmux session, any command we run there is executed with root privileges.
I ran ls -la to find all files and found that tmux.conf was owned by root
I also read the contents of bash_history and it looks like the previous user had ran a tmux session.
In order to become root, all i have to do is enter the tmux session using the syntax used by the previous user.
I ran /usr/bin/tmux -S /.devs/dev_sess and got a tmux session where i was root !
2) USING DIRTY COW EXPLOIT
Linux version 2.6.22–3.9 is vulnerable to DirtyCow. You can also use linux exploit suggester tool to find that our target is vulnerable to dirty cow
I have already covered how to use dirty cow exploit in multiple of my previous writeups.You can refer to this writeup of a HackTheBox machine called lame-https://sparshjazz.medium.com/hack-the-box-lame-73957cd80a13
In this box we learned about-
- Using and discovering HeartBleed exploit
- Privilege Escalation via an active tmux session owned by root
- Using Dirty Cow exploit for linux privilege escalation