Hack The Box — Valentine — without Metasploit (TJNull’s list for OSCP)

This is my 9th write-up for Valentine, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

1. Enumeration and Scanning (Information Gathering).
2. Initial Foothold.
3. Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.

nmap -sC -sV -O -A -T4 -Pn 10.129.237.176

• -sC is used to run default scripts to enumerate the services further.
• -sV is used for Version enumeration of the services
• -O is used to for OS enumeration. (not usually needed if you use -A. But who cares)
• -A is used for aggressive (not usually recommended in a real environment)
• -T4 is used to set the number of parallel threads.
• -Pn is used to force enumerate even if the machine is not responding to icmp (ping) packets.

nmap result

We found 3 ports open, SSH, HTTP and HTTPS. Judging by the versions of Apache and OpenSSH, (2.2.22 and 5.9p1 respectively) this looks like an old operating system. If we do a quick reverse search on these versions we can see that these versions were used in Ubuntu Precise 12.04. Launchpad, is a good source to reverse search it.

https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.10

https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.10

launchpad.net

If operating system is that old, it’s a good thing if we run the nmap vuln script since old operating systems can have several vulnerabilities that we can exploit.

nmap -Pn — script vuln 10.129.237.176

vuln script

Till, it’s running in the background, let’s visit the web-server and see what do we have there.

web-server port 80

Looks like we only have an image here. But, something to notice; we can a see bleeding heart in the picture. It could be a hint for “Heartbleed” vulnerability. It makes sense though, since the operating system is too old. However, we will be sure about it once our nmap script will complete.

Let’s try running gobuster on this web-server.

gobuster dir -u http://10.129.237.176 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt -t 200 -k — no-error

Gobuster

Visiting the webserver on port 443, using https, we see that it’s probably the same webserver just with SSL enabled.

After a short while gobuster also lists the following directories:

1. /encode
2. /decode
3. /dev

Let’s visit /dev first.

/dev

Here we can see notes.txt and hype_key file.

Let’s see what’s inside hype_key.

hype_key

We have a string of hex. Let’s convert it into ASCII by any online Hex to ASCII converters.

After converting Hex to ASCII we have the following result:

It looks like an encrypted RSA private key, that can be used to ssh into the target. The username could be hype because the name of the file was “hype_key”.

Let’s save this into a text file (hype_key.txt) in our attacking machine, we may need it at some point. Also when we use a private key to SSH into a machine we have to set its permissions to 600. So we can do that as well with the chmod.

chmod 600 hype_key.txt

chmod 600

Let’s try to use this key with username hype and SSH into the target.

(NOTE: I wrote this write-up in two different sittings, so the target’s IP has been changed from 10.129.237.176 to 10.129.183.210.)

As, expected, since the key was ‘Encrypted’ SSH key, it’s asking us for the passphrase.

And we don’t have it at the moment.

Now, if we look back to nmap scan that we ran with vuln script, we can be sure that our target is infact vulnerable to heartbleed vulnerability.

— script vuln result

Exploitation

Let’s search for hearbleed vulnerability.

searchsploit hearbleed

We have some exploits here, let’s try the first one.

searchsploit -m multiple/remote/32764.py

After getting the exploit in the working directory let’s run it with python2.

python2 32764.py

Let’s specify the Port and Host.

python2 32764.py -p 443 10.129.183.210

The exploit dumped a little piece of information from the memory and we can see a base64 encoded string.

aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

Let’s decode it and see what do we have.

echo “aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==” | base64 -d

Let’s try SSH again with the same key and use this phrase as the passphrase

It says: sign_and_send_publickey: no mutual signature supported.

Just add the following lines in ~/.ssh/config file.

Host *
    PubkeyAcceptedKeyTypes=+ssh-rsa
    HostKeyAlgorithms=+ssh-rsa

Let’s SSH again now and give the passphrase.

And we got a shell this time. :)

Let’s collect the user flag.

user.txt

Privilege Escalation

By checking into the history we can see a tmux process with -S flag.

By looking into tmux manual I found out that it’s used for a socket connection to a socket process.

By looking into the running process using ps and grepping for tmux we can see that there’s tmux running on the same socket as root.

Let’s spawn tmux and connect to that socket in the same way

tmux -S /.devs/dev_sess

And we got a root shell.

:)