add: writeup-ctf
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
This commit is contained in:
132
content/writeup-ctf/writeup-valentine-htb/index.md
Normal file
132
content/writeup-ctf/writeup-valentine-htb/index.md
Normal file
@ -0,0 +1,132 @@
|
||||
---
|
||||
title: "Writeup - Valentine (HTB)"
|
||||
date: 2022-05-05
|
||||
slug: "writeup-valentine-htb"
|
||||
type: "writeup-ctf"
|
||||
---
|
||||
|
||||
This is a writeup for the [Valentine](https://app.hackthebox.com/machines/Valentine) machine from the HackTheBox site.
|
||||
|
||||
## Enumeration
|
||||
|
||||
First, let's start with a scan of our target with the following command:
|
||||
|
||||
|
||||
```bash
|
||||
nmap -sV -T4 -Pn 10.10.10.79
|
||||
```
|
||||
Three TCP port are discovered:
|
||||
|
||||
|
||||
|
||||
- 22/tcp : SSH port (OpenSSH 5.9p1)
|
||||
- 80/tcp : HTTP (Apache 2.2.22)
|
||||
- 443/tcp : HTTPS (Apache 2.2.22)
|
||||
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
First, I start by scanning the site's folders.
|
||||
|
||||
I quickly find the `/dev` folder where there are 2 files :
|
||||
|
||||
|
||||
```bash
|
||||
To do:
|
||||
|
||||
1) Coffee.
|
||||
2) Research.
|
||||
3) Fix decoder/encoder before going live.
|
||||
4) Make sure encoding/decoding is only done client-side.
|
||||
5) Don't use the decoder/encoder until any of this is done.
|
||||
6) Find a better way to take notes.
|
||||
```
|
||||
|
||||
```bash
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
|
||||
|
||||
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
|
||||
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
|
||||
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
|
||||
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
|
||||
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
|
||||
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
|
||||
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
|
||||
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
|
||||
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
|
||||
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
|
||||
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
|
||||
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
|
||||
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
|
||||
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
|
||||
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
|
||||
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
|
||||
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
|
||||
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
|
||||
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
|
||||
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
|
||||
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
|
||||
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
|
||||
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
|
||||
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
|
||||
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
|
||||
-----END RSA PRIVATE KEY-----
|
||||
```
|
||||
This second file is very interesting, it's an RSA key that should allow me to connect in SSH. The only problem is that it is encrypted and requires a password. So I try to brute force the password. For that I start by extracting a hash with the following command:
|
||||
|
||||
|
||||
```bash
|
||||
ssh2john id_rsa > hash
|
||||
```
|
||||
Then I launch John with the rockyou dictionary.
|
||||
|
||||
|
||||
|
||||
Unfortunately without success. Let's look for something else, after performing a vulnerability scan with Nmap, I find that the machine is vulnerable to CVE-2014-0160. After some research I find this github [github](https://github.com/sensepost/heartbleed-poc).
|
||||
|
||||
|
||||
|
||||
After some executions I find a string in base64:
|
||||
|
||||
|
||||
```bash
|
||||
┌──(d3vyce㉿kali)-[~/Documents]
|
||||
└─$ echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
|
||||
heartbleedbelievethehype
|
||||
```
|
||||
It could be a password, so I test to connect with :
|
||||
|
||||
|
||||
|
||||
I now have SSH access and can retrieve the first flag.
|
||||
|
||||
{{< alert >}}
|
||||
While trying to connect via SSH I got the following error: `sign_and_send_pubkey: no mutual signature supported`. To solve the problem I had to add to the command: `PubkeyAcceptedKeyTypes=+ssh-rsa`.
|
||||
{{< /alert >}}
|
||||
|
||||
## Privilege escalation
|
||||
|
||||
At first I start by running the [linpeas.sh](https://linpeas.sh) script to find a vulnerability. I quickly find a tmux service executed by root.
|
||||
|
||||
|
||||
|
||||
After some research I find that it is possible to enter a tmux stream via the `-S` argument which allows to indicate a socket-path.
|
||||
|
||||
|
||||
```bash
|
||||
tmux -S /.devs/dev_sess
|
||||
```
|
||||
I now have a root shell and I can get the last flag.
|
||||
|
||||
|
||||
|
||||
## Recommendations
|
||||
|
||||
To patch this host I think it would be necessary to perform a number of actions:
|
||||
|
||||
- Do not leave large files accessible directly from a website
|
||||
- Update the machine to fix CVE-2014-0160
|
||||
- Do not create a tmux session as root
|
||||
Reference in New Issue
Block a user