Overview
Valentine is an ubuntu box that was vulnerable to the heartbleed vulnerability. I found a page full of hex and when converted to ascii ended up being a password protected rsa private key. Leveraging the heartbleed vulnerability I was able to pull a base64 string from the servers memory which when decoded was the password for the private key. With that I was able to log on to the server as user hype and attach to a tmux session to gain root.
Enumeration
Software
- Ubuntu 12.04 LTS
- Openssl 1.0.1
- Apache 2.2.22
Port Scan
nmap -A -sT -v -p- 10.10.10.79 -oN ~/boxes/valentine/_full_nmap_tcp.txt
- 22/tcp - ssh
- 80/tcp - http
- 443/tcp - https
gobuster
gobuster dir -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40 -x php,html
- /index (Status: 200)
- /index.php (Status: 200)
- /dev (Status: 301)
- /encode (Status: 200)
- /encode.php (Status: 200)
- /decode (Status: 200)
- /decode.php (Status: 200)
- /omg (Status: 200)
- /server-status (Status: 403)
Steps (user)
I started by browsing to http://10.10.10.79 and was brought to page showing a woman and the heartbleed logo.
Browsing to the https version of the site shows the same thing
Browsing to http://10.10.10.19/dev shows two files, a note and a bunch of what looks like hex.
Using wget I downloaded the file ‘hype_key’
wget http://10.10.10.79/dev/hype_key
xxd was used on hype_key to convert hex to ascii. The result was an rsa key. I ran the command again and output to id_sa
cat hype_key | xxd -r -p > id_rsa
A search in searchsploit for heartbleed showed the following:
I decided to go with 32764.py which exploits the heartbleed flaw to pull data from memory. After a few tries I noticed some base64 in the output.
Browsing over to decode.php, I copied in the base64 and it very helpfully decoded the text. The result was ‘heartbleedbelievethehype’
Now that I had a password I tested it out on the rsa key by using it to try and decrypt the id_rsa file and was successful.
openssl rsa -in id_rsa -out id_rsa2
I was then able to use the private key to ssh into box using account “hype”
Steps (root/system)
After some enumeration of Hype’s home directory I found that the .bash_history file contained a tmux command. After looking the command up I learned that the -S parameter can be used to specify a full alternative path to the server socket.
tmux -S /.devs/dev_sess
I was able to attach to the tmux session which was logged on as root.