[HTB] Valentine writeup

Welcome back on Exploitnetworking! Today we’ll see a Valentine write up. This box is really funny because the first step is based on heartbleed vulnerability that permit you to exploit openssl protocol and read the machine memory. After that, for privilege escalation, we’ll use a cool tmux trick!

The first step is a normal scan of the machine:

Copy to Clipboard

How we can see there are many ports open: port 22 for ssh service, 80 for web service, 443 for openssl web service. Open the browser and type in url bar: 10.10.10.79

In this wallpaper there is a famous logo that represents the heartbleed vulnerability (if you know more about heartbleed visit the official website: http://heartbleed.com/). Maybe this machine is vulnerable ;). Let’s try with searchsploit for see if there is a script to use:

Copy to Clipboard

Yep! Try with the second script:

Copy to Clipboard

How we can see there is an interesting variable in the output: $text in base64 format:

Copy to Clipboard

Oh yeah this is interesting! Maybe this is a ssh password, but if we try with this password it not work, try with user “valentine” (this username seems reasonable):

Copy to Clipboard

Nope, continue now with enumeration. Try now with dirbuster on web service, the result is:

Copy to Clipboard

Ok, there is some interesting file: hype_key and notes.txt. The content of first file is a sequence of hexadecimal values and the content of notes.txt is a todo developer file. Try now to convert in string the first file:

Copy to Clipboard

Now with python print the string values of this sequence:

Copy to Clipboard

Oh yeah, replace this private key in hype_key file and try to use it:

Copy to Clipboard

With valentine doesn’t work, try with “hype”:

Copy to Clipboard

Oh yeah work with heartbleedbelievethehype password! Get the flag in desktop and continue our enumeration for privilege escalation:

Copy to Clipboard

For enumeration try to use LinEnum.sh. Create a simple http server on my machine and download LinEnum in server:

Copy to Clipboard

and in server:

Copy to Clipboard

Now run the script:

Copy to Clipboard

from LinEnum there is an interesting process:

Copy to Clipboard

This process seems a socket shared from root using tmux, let’s try to use this socket file with tmux:

Copy to Clipboard

and work! Now we are administrator!

Copy to Clipboard

Recent Comments

    Recent Tweets

    For privacy reasons Twitter needs your permission to be loaded.
    I Accept
    2018-07-30T14:13:46+00:00

    About the Author:

    Leave A Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.