HTB – Valentine

Welcome to valentine and this gave me some trouble. I know people say it’s on the easier side of things but something about it took me a while to figure out what made this box tick. This machine is vulnerable to Heartbleed, which we will use to grab an SSH key and move on to privesc.

Walkthrough

Our initial nmap scan reveals some working ports and a follow up UDP scan revealed one port:

First steps, lets check out these web servers.

On port 80 we are redirected to port 443:

It took me a while to identify what was happening here but this picture really was worth a thousand words. This machine is vulnerable to Heartbleed, a logic error that allowed attackers to grab random chunks of memory.

I found a script off serchsploit and ran it:

When I first ran it, my entire screen was covered in 0’s so I used `grep -v “00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00” to leave those lines out.

But it is vulnerable! Now what?

Well I ran it a few more times and noticed some interesting tidbits of info coming through:

Looks like base64:

I will keep that for later. I ran heartbleed a bunch of more times and got nothing so I went back to square one and enumerated some directories for the web address.

\/dev

This directory has 2 files

  • – hype key
  • – notes

To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don’t use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

and hype key is a random bunch of hex numbers. I’ll try to decode this also:

Hmm a SSH key. This is nice. But it’s password protected and maybe the password we got from heartbleed is what we need?

Lets go over to openssl and see if it works:

Winner!

Now it’s time to SSH in. This part took me a while. I couldn’t for the life of me figure out the username. Simple CTF stuff too! Username was hype. Makes sense too: hype_key.

Now it’s time to escalate some privileges. I tried sudo -l and nothing. My next step is to see what processes are running as root.

When I first completed this box I used Dirty Cow but I always like to read up pm boxes after I complete to find out if I missed anything that could give me an edge on the OSCP.

Right there I can see tmux running as root! This is interesting because I should able to access tmux from the low priv user and I am pretty sure I could abuse this.

I run the history command and see:

From the looks of it we can run tmux -S /.devs/dev_sess and we should be come root:

Grab the root flag and we are done!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: