1. Enumeration
Port 80 http
And port 443, they are the same i guess!
Port 80 dirbuster enumeration, looks like /dev has some interesting stuff
For hype_key we have some hex code on the page, have to use a hex decoder to decode it
After decoding, we have a RSA private key, could be very useful, could be for a user called hype.
Under notes, we have some clues i hope. Encoding/decoding for client side, and the decoder/encoder is not to be used until any of the above is done. Hmmm RSA private key, SSH… we might be able to log in
https://support.rackspace.com/how-to/logging-in-with-an-ssh-private-key-on-linuxmac/
Alright, it is possible to log in using the RSA private key, but we would need a user. Hopefully the user is hype. We will try but i believe we need a passphrase for this RSA key that we still have to uncover.
Looks there is more to be done in our enumeration, so we have to either run Nikto or vulns NSE script from nmap to see if we have exploits to work with.
After running vulns NSE script, nmap reflected a bunch of vulnerabilities, and one is notably ssl-heartbleed.
Now i understand the jpg image on the index page. It is referring to heartbleed! Let’s find heartbleed scripts for exploitation!
2. Exploitation
The famous heartbleed comic strip. hahaha
More info on the link above
Let’s use the first script that is written in Python
Heartbeat request sent
Ahh we have some notable items immediately.
/decode.php
$text=aGBhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== which the $text is in base64. Let’s decode it
I used my own python script for this, you can refer to the previous post on Poison walkthrough to understand how the code works!
We have some form of password now i guess, hopefully with the pieces together, we have a possible hype user and his RSA private key, with the passphrase being heartbleedbelievethehype
And i was right about the clues we got. Perhaps i should be a detective instead. hahahah
3. Privilege Escalation
Hmmm well we do not have password for hype, so no sudo -l…
But we have the user.txt
Next we check for wget, and transfer linuxprivchecker in
I was not able to find anything useful in linuxprivchecker, but we have a list of installed tools, with gcc being one of them, hence we can possibly try a kernel exploit.
Since it is Linux version 3.2.0, it is probably a dirtycow privilege escalation
Description of the exploit, since the target machine has gcc, we can compile and run after we transfer the script over to target machine
So for this exploit, we simply set our own password to user firefart, and let it write into /etc/passswd
Now you can see firefart being added to the top
After which we simply change our user to firefart, and voila, root privileges!
I would say enumeration plays an important role here, or else heartbleed would not have been guessed from seeing the image, and of course piecing up the clues together. And sometimes you do not think too much when you have a clue. For example, hype_key means hype’s key. So user is hype. We can always take a gamble and try with whatever we have! Overall i had fun!
Till next machine! 😀