search

Valentine

OS: Linux, Difficulty: Easy, IP: 10.10.10.79

hashtag
Initial Enumeration

# Nmap 7.80 scan initiated Thu Sep 26 21:07:03 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,80,443 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.22s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2019-09-26T15:29:40+00:00; -7m54s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 - 3.5 (95%), Linux 3.0 (95%), Linux 2.6.38 - 3.0 (94%), Nokia N9 phone (Linux 2.6.32) (94%), Linux 3.2 (94%), Linux 2.6.38 - 2.6.39 (94%), Linux 2.6.39 (94%), Linux 3.5 (93%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -7m54s

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   219.71 ms 10.10.14.1
2   219.86 ms 10.10.10.79

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 26 21:07:36 2019 -- 1 IP address (1 host up) scanned in 33.04 seconds
The web-page clearly signal towards heartbleed bug.

As the web page signals towards the heartbleed bug, I downloaded a script and tested and exploit for heartbleed. You can download the script from the link below.

https://bit.ly/1SebxJabit.lychevron-right

The heartbleed.py script was dumping a base64 encoded string in form of a $text parameter, which when decoded seemed like a password i.e. heartbleedbelievethehype

Now the next task was to find a username of some kind to test the password against the SSH service, so I ran gobuster and found the following directories, out of which /dev seemed very interesting.

hype_key seemed an interesting file, however it was hex encoded to after decoding it form hex, it turned out to be a private RSA key for probably SSH. If going by the naming convention hype_key seemed that it's a key for the user hype.

We had the username, a RSA key, and a password so let's try and connect to the server with these pieces.

hashtag
User own

hashtag
Root own

Next part is to enumerate for potential attack vectors using Linux Smart Enumeration script.

LogoGitHub - diego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levelsGitHubchevron-right

Out of everything the things that stood out the most was this list of writeable files and most importantly /.devs/dev_sess this file.

However I was not able to read the file, because it was a socket file, so I moved away from this and tried enumerating the history of the current user.

And lo and behold, it turns out it is a tmux socket file which we can attach to using tmux command

And as it turns out, this sessions was owned by root and now we have root access on the box.

hashtag
Learning Outcome

Suspicious files and basic user enumeration leads to great results, as always.

PreviousSenseNextBlocky

Last updated