Valentine -HTB walkthrough
WIKI: The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Vulnerability : The client sends request containing amount of words it would require to get back. The server doesn’t check the amount of words requested , which should be actually be matched with length of request. Instead it sends back the length asked by client
Example:
- Client { say “HEY”, 3 words } — — — Server { HEY , <padding>}
- Client { say “HEllo”, 200 words} — — — Vulnerable Server { HEllo <all info under 200 words it has, without checking length of request>}
ENUMERATION
HTTP 80 Enumeration
Visiting website
Enumerating each directory
1) /omg : Image location of omg.jpg
2) /dev
a. Hype_key
b. Notes.txt
3. /encode
4) /decode
So we have got a key , and option to encode and decode it. And the image shows it might be heartbleed attack. So let’s test it.
1) #searchsploit heartbleed
Looking at the script , it shows , it tests server against heartbleed vulnerability. So running the script
We should try few times to see it gives back the extra data < vulnerability of openssl heartbeat protocol>
Running this second time gave me output including a cookie and encoded hype_key :
Then running it third time gave me a text
Decoding this text : It was base64 encoded
2) We will come back to it, first think of how to use PGP keys. We can use it for SSH
a. get the PGP key
b. Convert to RSA private key
Now we see this is encrypted Private key….
I tried ssh2john and then john with rockyou wordlist. But it seems some different issue. It could not crack it. So I used openssl
EXPLOITATION
SSH into user hype
Getting user flag
PRIVILEGE ESCALATION
Running tmux as hype did using -S socketpath command we get root session on tmux, because there is a session stored as dev_sess owned by root.
ROOTED !!!
