Hack The Box

HackTheBox “Valentine” Walkthrough

Valentine, an easy-level Linux OS machine on HackTheBox, a vulnerable web service affected by Heartbleed exploit. By leveraging this vulnerability, an attacker extracts a password from memory Combined with an…

HackTheBox “Valentine” Walkthrough, figure 1

Valentine, an easy-level Linux OS machine on HackTheBox, a vulnerable web service affected by Heartbleed exploit. By leveraging this vulnerability, an attacker extracts a password from memory Combined with an encrypted RSA key found in a web directory grants SSH access. Privilege escalation offers two paths, with the root tmux session being favored and kernel exploit using DirtyCow.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Valentine” Walkthrough, figure 2

Visit the target on port 80.

HackTheBox “Valentine” Walkthrough, figure 3

Visit the target on port 443.

HackTheBox “Valentine” Walkthrough, figure 4

We will use nmap NSE scripts to look for vulnerabilities targetting port 80 and 443.

┌──(kali㉿kali)-[~/Desktop]└─$ sudo nmap -p 80,443 --script vuln 10.10.10.79[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-08 17:04 +03Nmap scan report for 10.10.10.79Host is up (0.11s latency).PORT    STATE SERVICE80/tcp  open  http|_http-dombased-xss: Couldn't find any DOM based XSS.|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)|_http-csrf: Couldn't find any CSRF vulnerabilities.| http-enum: |   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'|_  /index/: Potentially interesting folder443/tcp open  https| ssl-poodle: |   VULNERABLE:|   SSL POODLE information leak|     State: VULNERABLE|     IDs:  BID:70574  CVE:CVE-2014-3566|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other|           products, uses nondeterministic CBC padding, which makes it easier|           for man-in-the-middle attackers to obtain cleartext data via a|           padding-oracle attack, aka the "POODLE" issue.|     Disclosure date: 2014-10-14|     Check results:|       TLS_RSA_WITH_AES_128_CBC_SHA|     References:|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566|       https://www.imperialviolet.org/2014/10/14/poodle.html|       https://www.openssl.org/~bodo/ssl-poodle.pdf|_      https://www.securityfocus.com/bid/70574|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.| ssl-heartbleed: |   VULNERABLE:|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.|     State: VULNERABLE|     Risk factor: High|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.|           |     References:|       http://cvedetails.com/cve/2014-0160/|       http://www.openssl.org/news/secadv_20140407.txt |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)|_http-dombased-xss: Couldn't find any DOM based XSS.|_http-csrf: Couldn't find any CSRF vulnerabilities.| http-enum: |   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'|_  /index/: Potentially interesting folder| ssl-ccs-injection: |   VULNERABLE:|   SSL/TLS MITM vulnerability (CCS Injection)|     State: VULNERABLE|     Risk factor: High|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h|       does not properly restrict processing of ChangeCipherSpec messages,|       which allows man-in-the-middle attackers to trigger use of a zero|       length master key in certain OpenSSL-to-OpenSSL communications, and|       consequently hijack sessions or obtain sensitive information, via|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.|           |     References:|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224|       http://www.cvedetails.com/cve/2014-0224|_      http://www.openssl.org/news/secadv_20140605.txtNmap done: 1 IP address (1 host up) scanned in 41.82 seconds

Exploitation:

And the results mention Heartbleed vulnerability, let’s go for it.

HackTheBox “Valentine” Walkthrough, figure 5

Copying the exploit to the working directory.

HackTheBox “Valentine” Walkthrough, figure 6

Run on the target.

HackTheBox “Valentine” Walkthrough, figure 7

By scrolling on the right side, you’ll come across the string “aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==”. It appears to be encoded in base64, so let’s attempt to decode it.

HackTheBox “Valentine” Walkthrough, figure 8

The decoded phrase “heartbleedbelievethehype” is noted for future use.

During the vulnerability scan using NSE scripts in the nmp tool, two intriguing directories, “dev” and “index,” were discovered on port 80 of the target. Now, let’s examine the “dev” directory.

HackTheBox “Valentine” Walkthrough, figure 9

lets check the hype_key file.

HackTheBox “Valentine” Walkthrough, figure 10

Download the hexdump file above in the working directory.

HackTheBox “Valentine” Walkthrough, figure 11

Now we convert the hexdump file above to ASCII using the “xxd” tool.

HackTheBox “Valentine” Walkthrough, figure 12

Let’s try to decrypt it using openssl.

HackTheBox “Valentine” Walkthrough, figure 13

We are prompted for a password, so let’s try entering the passphrase we obtained using the Heartbleed exploit: “heartbleedbelievethehype.”

HackTheBox “Valentine” Walkthrough, figure 14

Next, we’ll attempt SSH access to the target using the decrypted key file and the username “hype” guessed according to the key file name found in the /dev directory of the target.

HackTheBox “Valentine” Walkthrough, figure 15

Encountering an error while attempting to SSH with the key: “sign_and_send_pubkey: no mutual signature supported.”

This could be due to outdated SSH ciphers on the system. To address this, it is recommended to search for a workaround online. The RSA SHA-1 hash algorithm is being phased out due to security vulnerabilities, leading to its rejection by various operating systems and SSH clients. If generating new SSH keys using ECDSA and ED25519 algorithms is possible, it is advised to do so.

However, if not feasible, one potential solution is to add the line “-oPubkeyAcceptedAlgorithms=+ssh-rsa” to the affected SSH client’s config file to re-enable ssh-rsa support.

HackTheBox “Valentine” Walkthrough, figure 16

Privilege Escalation:

Due to limited privileges, we require privilege escalation. Download linpeas.sh onto the target machine.

HackTheBox “Valentine” Walkthrough, figure 17

Linpeas.sh provided us with two privilege escalation methods:

The first method involves a kernel exploit.

HackTheBox “Valentine” Walkthrough, figure 18

The second method is exploiting the tmux process and run it as root.

HackTheBox “Valentine” Walkthrough, figure 19

We will proceed with the first method of exploitation, which has been confirmed to be effective due to the vulnerability of DirtyCow exploit.

HackTheBox “Valentine” Walkthrough, figure 20

Upon reviewing multiple options, we will consider 40839.c as a means to add a root user to the passwd file, as suggested by Google too.

HackTheBox “Valentine” Walkthrough, figure 21

Movign the exploit to the working directory and examine its contents.

HackTheBox “Valentine” Walkthrough, figure 22

HTTP server initiated.

HackTheBox “Valentine” Walkthrough, figure 23

The exploit was downloaded onto the target machine.

HackTheBox “Valentine” Walkthrough, figure 24

Compiling and running the exploit.

HackTheBox “Valentine” Walkthrough, figure 25

Switching to the new root profile, “firefart.”

HackTheBox “Valentine” Walkthrough, figure 26

Cheers.