We are going to pwn Valentine from Hack The Box.
Like always begin with our Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) |_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US | Not valid before: 2018-02-06T00:45:25 |_Not valid after: 2019-02-06T00:45:25 |_ssl-date: 2019-12-07T15:32:32+00:00; +19s from scanner time. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 - 3.5 (95%), Nokia N9 phone (Linux 2.6.32) (95%), Linux 2.6.38 - 3.0 (94%), Linux 3.2 (94%), Linux 2.6.38 - 2.6.39 (94%), Linux 2.6.39 (94%), Linux 3.5 (93%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.9 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Start from Webpage like always
This image looks like heartbleed it may be
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.79 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2019/12/07 19:25:22 Starting gobuster =============================================================== /index (Status: 200) /dev (Status: 301) /encode (Status: 200) /decode (Status: 200) /omg (Status: 200) /server-status (Status: 403) =============================================================== 2019/12/07 21:11:06 Finished ===============================================================
To know about what is
heartbleed this will be very helpful
To confirm that , we can use nmap scripts
Yes it is confirmed, so I searched for exploits
This one might work
when the script runs and it grabs some memory for us
While its running on background I looked for directories
I tried some commands to get anything useful but none worked!
And the script found some base64 lets try decode them for that I used
It may be password for something
Getting User Shell
While checking other directories found
It is in hex , so we can decode them and see what we got
xxd - make a hexdump or do the reverse.
-r reverse -p plain
We got an
ssh private key
We can try login with them with
hype since we got it as
It’s asking for passphrase may be the one we got from heartbleed exploit
We are successfully logged in as
While checking the kernel it looks old one
Yes it is we can use
Dirty Cow for Priv Escalation
I uploaded the Script into the machine and from the given instruction I run that
Yes it worked it created new user as