033#:HTB - Valentine
Tonight’s room is Valentine on Hack the Box. We are a bit out of season given it’s August, but it’s the next going down the list of most rooted machines. Let’s see what ports we can find.
Seeing that HTTPS is running on this box and the name being Valentine has me wondering if the is related to the heartbleed vulnerability. Seems on brand but let’s just start with a gobuster scan for now.
I am fairly certain that heart it the logo associated with the heartbleed exploit so that pretty much seals it. Looking over these links it looks like we have a tool to encode data, decode data, and a note from the dev that hints to us that these functions are being done server-side.
I’m rusty with command injection so I started working through some common injection methods listed by OWASP. I moved on to searching for heartbleed in searchsploit and copying a python exploit. They comments mention CVE-2014-0160 which is the CVE for heartbleed so this should do the trick.
This worked and says it is vulnerable, now I need to find how to exploit it I guess.
I pulled up metasploit and started exploring a payload’s options. I had to change the action for the module but I was able to get a private key and a memory dump.
The key is cool but I don’t have a username yet. I ran strings against the .bin file from the memory dump and found an encoded string. When decoded we get what looks to be a password.
I forgot to mention a hype_key file I found in the /dev directory too. I’m not sure what to do with it though. I copied the contents and pasted it into dcode’s cipher identifier. This flagged it as ASCII Code, and when we decode it I found its actually another private RSA key.
I’m guessing the username is hype since this was called “hype_key”. I tried to ssh to the box using hype and the rsa key we just found, but I kept getting an error stating “no mutual signature algorithm”. Googling this error led me to this article which had the fix. I basically needed to enable RSA SHA-1 on my computer by adding ‘PubkeyAcceptedKeyTypes +ssh-rsa’ to the end of my /etc/ssh/ssh_config file. Trying to connect now gets me access and out first flag.
I can’t check my sudo rights since I don’t have the user’s password. Checked for other users and cron jobs. After a bit more poking around I ran linpeas on our victim. Right away we get a huge flag on the linux kernel version.
I searched linux kernel 3.2 in searchsploit and there are a bunch of potential privilege escalation options. These all need to be compiled though and I found myself having issues at first because I’m virtualized on apple silicon. I fiddled around with that for a minute and then it occurred to me to check if I could just compile it on the target. GCC is installed, so I downloaded the uncompiled payload to the victim machine and gave it a go.
That one didn’t work, but we are cooking now. I started working through the different priv esc exploits that searchsploit had to offer.
Remember to always read the payload comments, most of these had recommended compiling commands included which will improve your chances of success. Moving down the searchsploit list I got one that works!
Awesome, this was a good room. It’s also cool doing some of these exploits I have learned about over the years. Like reliving a little piece of cyber history.