Valentine HackTheBox Walkthrough

Matthew

1. Enumeration

Port 80 http

And port 443, they are the same i guess!

Port 80 dirbuster enumeration, looks like /dev has some interesting stuff

For hype_key we have some hex code on the page, have to use a hex decoder to decode it

After decoding, we have a RSA private key, could be very useful, could be for a user called hype.

Under notes, we have some clues i hope. Encoding/decoding for client side, and the decoder/encoder is not to be used until any of the above is done. Hmmm RSA private key, SSH… we might be able to log in

https://support.rackspace.com/how-to/logging-in-with-an-ssh-private-key-on-linuxmac/

Alright, it is possible to log in using the RSA private key, but we would need a user. Hopefully the user is hype. We will try but i believe we need a passphrase for this RSA key that we still have to uncover.

Looks there is more to be done in our enumeration, so we have to either run Nikto or vulns NSE script from nmap to see if we have exploits to work with.

After running vulns NSE script, nmap reflected a bunch of vulnerabilities, and one is notably ssl-heartbleed.

Now i understand the jpg image on the index page. It is referring to heartbleed! Let’s find heartbleed scripts for exploitation!

2. Exploitation

Heartbleed 101

The famous heartbleed comic strip. hahaha

https://www.csoonline.com/article/3223203/what-is-the-heartbleed-bug-how-does-it-work-and-how-was-it-fixed.html

More info on the link above

Let’s use the first script that is written in Python

Heartbeat request sent

Ahh we have some notable items immediately.

/decode.php

$text=aGBhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== which the $text is in base64. Let’s decode it

I used my own python script for this, you can refer to the previous post on Poison walkthrough to understand how the code works!

We have some form of password now i guess, hopefully with the pieces together, we have a possible hype user and his RSA private key, with the passphrase being heartbleedbelievethehype

And i was right about the clues we got. Perhaps i should be a detective instead. hahahah

3. Privilege Escalation

Hmmm well we do not have password for hype, so no sudo -l…

But we have the user.txt

Next we check for wget, and transfer linuxprivchecker in

I was not able to find anything useful in linuxprivchecker, but we have a list of installed tools, with gcc being one of them, hence we can possibly try a kernel exploit.

Since it is Linux version 3.2.0, it is probably a dirtycow privilege escalation

Description of the exploit, since the target machine has gcc, we can compile and run after we transfer the script over to target machine

So for this exploit, we simply set our own password to user firefart, and let it write into /etc/passswd

Now you can see firefart being added to the top

After which we simply change our user to firefart, and voila, root privileges!

I would say enumeration plays an important role here, or else heartbleed would not have been guessed from seeing the image, and of course piecing up the clues together. And sometimes you do not think too much when you have a clue. For example, hype_key means hype’s key. So user is hype. We can always take a gamble and try with whatever we have! Overall i had fun!

Till next machine! 😀

Published by Matthew

Currently a final (fourth) year student in NUS (National University of Singapore) and an intern in GOVTECH Singapore. (Will be ending in early Dec sobs. T_T) , major in Information Security and thinking about whether or not to minor in Forensic Science. (YES. It's a vast difference) [EDIT: I decided not to minor in Forensic Science for no particular reason. Really.]