Hack The Box — Valentine

Valentine is a Medium level Linux machine on Hack The Box.It is also OSCP like.Honestly the part for getting the low level shell and ssh username was very tricky.In this box, we learn about an exploit called Heartbleed and we finally prvilege escalate using an active root session in tmux.

ENUMERATION

we find port 22,80 and 443 open after doing a full port scan. Now the webpage at port 80 has a picture of a girl and a heart dripping with blood.This is an indication to heartbleed exploit which we will use later.We do not find anything useful in the source code.

Port 443 has nothing useful on the webpage

Lets find hidden directories using dirsearch

Lets check out the files and other directories as well

hype_key looks like it has hexadecimal values,we can try decoding it later

notes.txt hints us that the encode and decoder might be useful

The encoder and decoder works pretty normally.I did try to check for command injection but that wont work.It simply encodes and decodes.

Lets convert the hype_key’s hexadecimal values to plain text

And Volia ! it looks like an ssh key so save it in a file and name it as hype_key or id_rsa .Make sure to give it chmod 600 or chmod +s permission.

Now, i did try to ssh to the target using the key however i failed.I tried connecting to ssh through a username called valentine.However that didn’t work.Finding the correct username seemed very tricky.Also it asked for a password to decrypt the key.I tried running:

ssh -i hype_key valentine@targetip

There is NO user called “valentine” and Later i found out that we need to use heartbleed exploit to find the correct password for the key and the username will be “hype” (i will explain this soon)

HEARTBLEED (CVE 2014–0160)

Heartbleed is a vulnerability in OpenSSL and using the buffer overflow exploit, which sends a malicious request to the server and dumps critical data from the webserver.To discover it, i used nmap’s vuln script-

AND SURE ENOUGH, IT IS VULNERABLE TO HEARTBLEED !!! I did try using the exploit from explot-db however the output was not easy to read.Later i found out this exploit from github which is written in python.

DOWNLOAD LINK- https://gist.github.com/eelsivart/10174134

The usage is pretty simple as well

Lets use the exploit and loop 10 times (-n)

If we scroll through the results, we find some interesting base64 encoded text

Lets decode it in /decode.php or even through any website and we find heartbleedbelievethehype this can be the password for hype_key (our ssh key)

And sure enough, when i tried to open the hype_key as it asked for password, i used it and was able to unlock the key !!!

FINALLY lets connect to ssh.For password, we will use the username hype because if you remember, the original name of the file was hype_key moreover the password we found hinted us to believe the hype.

AND WE ARE IN….as user hype

PRIVILEGE ESCALATION

I transferred LINPEAS to the target and ran it.The most critical findings which were linux version and tmux session were highlighted in yellow-red.I will cover both ways to privilege escalate

1) USING TMUX SESSION

tmux is a terminal multiplexer: it enables a number of terminals to be created, accessed, and controlled from a single screen.

It’s essentially a shell that is owned by root! So if we can enter this active tmux session, any command we run there is executed with root privileges.

I ran ls -la to find all files and found that tmux.conf was owned by root

I also read the contents of bash_history and it looks like the previous user had ran a tmux session.

In order to become root, all i have to do is enter the tmux session using the syntax used by the previous user.

I ran /usr/bin/tmux -S /.devs/dev_sess and got a tmux session where i was root !

we are root!!!

2) USING DIRTY COW EXPLOIT

Linux version 2.6.22–3.9 is vulnerable to DirtyCow. You can also use linux exploit suggester tool to find that our target is vulnerable to dirty cow

I have already covered how to use dirty cow exploit in multiple of my previous writeups.You can refer to this writeup of a HackTheBox machine called lame-https://sparshjazz.medium.com/hack-the-box-lame-73957cd80a13

CONCLUSION

In this box we learned about-

  • Using and discovering HeartBleed exploit
  • Privilege Escalation via an active tmux session owned by root
  • Using Dirty Cow exploit for linux privilege escalation

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Politically Speaking — The Insider’s News and Picks

Rights of bears and men

The Writting in the Wall

Earn extra cash at home

THE NOTORIOUS B.I.G.

Say Yes To The Dress

Kan-of-Worms :: Mixed Emotions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

HackTheBox — Bashed

Hackthebox — Devzat Walkthrough

Road to OSCP 11: Blocky HackTheBox

2. Sequel — Begginer/Learning Box