- Published on
Hack The Box - Valentine
We are going to pwn Valentine from Hack The Box.
Link : https://www.hackthebox.eu/home/machines/profile/127
Like always begin with our Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2019-12-07T15:32:32+00:00; +19s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 - 3.5 (95%), Nokia N9 phone (Linux 2.6.32) (95%), Linux 2.6.38 - 3.0 (94%), Linux 3.2 (94%), Linux 2.6.38 - 2.6.39 (94%), Linux 2.6.39 (94%), Linux 3.5 (93%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Start from Webpage like always
br/ This image looks like heartbleed it may be heartbleed vulnerability
Gobuster Results
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.79
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/07 19:25:22 Starting gobuster
===============================================================
/index (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/decode (Status: 200)
/omg (Status: 200)
/server-status (Status: 403)
===============================================================
2019/12/07 21:11:06 Finished
===============================================================
To know about what is heartbleed this will be very helpful
To confirm that , we can use nmap scripts
Yes it is confirmed, so I searched for exploits 
This one might work
when the script runs and it grabs some memory for usbr/ 
While its running on background I looked for directories There is /decode.php 
And /encode.phpbr/ 
br/ I tried some commands to get anything useful but none worked!
And the script found some base64 lets try decode them for that I used /decode.php 
It may be password for something
Getting User Shell
While checking other directories found hype_key from /devbr/ 
It is in hex , so we can decode them and see what we got 
xxd - make a hexdump or do the reverse.
-r reverse
-p plain
We got an ssh private key
We can try login with them with hype since we got it as hype_key
It's asking for passphrase may be the one we got from heartbleed exploit
hype:heartbleedbelievethehypebr/ 
We are successfully logged in as hype
Privilege Escalation
While checking the kernel it looks old one br/ 
Yes it is we can use Dirty Cow for Priv Escalation 
I uploaded the Script into the machine and from the given instruction I run thatbr/ 
Yes it worked it created new user as rootbr/ 