Hackthebox Valentine Walkthrough (NO Metasploit) OSCP Prep
HTB Valentine Walkthrough
Box Details
OS: Linux
Exploitable service: Web Server (heartbleed), Tmux running as root
Difficulty: Easy
Estimated time: 45 minutes
- Nmap fast scan shows there are only 3 ports open
2. Nmap full scan; this shows the version of the services being opened.
3. Nmap all ports scan confirms only 3 port on this server
4. nmap vuln scan: this confirms this box is vulnerable to ssl-ccs-injection, ssl-heartbleed, and ssl-poodle.
Directory bruteforce web enum, we will use gobuster to find the hidden directories on the webserver. We will check both port 80 and 443.
- k flag was used in forcing ssl checks when enumerating port 443. found the same directory on both ports and we will focus on port 443 because its supposedly vulnerable to multiple exploits,
visiting the https web page, overs a hint that this server maybe vulnerable to heartbleed as the first page with an omg image shows a woman with a bloody heart (maybe she recently had an heartbreak).
looking at /dev directory shows two files.
The hype_key file is a hex file and will need converting into ascii (Kali has inbuilt too for this)
The notes.txt just seems to be a note :)
So will save the hype_key hex file locally as Hexhype.txt
cat Hexhype.txt | xxd -p -r
This command will convert the hex file into an ascii output which can be save as a file
after converting the hex file to ascii, it is noted that the file is an encrypted ssh private key for possibly the hype user and this will require a password to login in via ssh.
Confirming the Heartbleed vulnerability
A search on google to get public github exploits shows multiple exploits and we try the first one.
“ https://gist.github.com/eelsivart/10174134”
running the exploit
running the exploit suggests that the server is indeed vulnerable and it throws out outputs, amongst of which a base64 text is shown
aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
Using kali in-built decoder we can decode the text and get the output which might be the password to our encrypted ssh private key.
We will try to connect to the server using the convert hype_key file and our newly decoded base64 text as the password.
This works we are logged in as the hype user and can read the user.txt file.
We will carry our more enumeration on this server to escalate privileges to the root user. We do this using linpeas.sh, a linux enumeration script focused on privilege escalation.
Running the script shows that the linux kernel is vulnerable to privilege escalation through some kernel exploits. We will investigate others first
Looking further we can see a tmux process is being run as root and a socket path
Investigating the sockect files shows that the hype user has group ownership of the socket file. So we will run tmux and specify the socket to escalate to root.
We are now root but on a tmux session
