Valentine Writeup

Enumeration

Port Scan: nmap -A 10.10.10.79 shows ports 22, 80, and 443 open. http-enum.nse shows /dev/ /index/ directories on both 80 and 443. Checking these directories reveals 2 interesting files. A hex encoded RSA private key which after initial attempt to log in with, appears to be passphrase encrypted and notes.txt file which mentions an encoder/decoder somewhere on the site.  Navigating to the https site in the browser and examining the headers and security information found under developer tools shows that the website is using TLSv1.2, which is vulnerable to the Heartbleed exploit.

The Plan

Having enough information to start putting together a plan of attack, I decided to see if I could find anything useful in the memory leak provided by exploiting Heartbleed against the vulnerable server. My main hope is to find some clues to the passphrase for the RSA key I found in the /dev/ folder. I like to avoid Metasploit as much as possible while I am learning how to do all this stuff, so I turn to Google to looks for Heartbleed PoC’s and exploit scripts that I can use here. Fairly quickly, I come across https://gist.github.com/eelsivart/10174134 which contains the heartbleed.py script and I begin reading through it.

The script has a few different options/parameters to control the behavior and output. I may as well have it output in every format it can so I will use the -x (hex), -r (raw), and -a (ascii) flags along with -v (verbose).

My understanding of the heartbleed exploit is that a client (my machine) can send some data along with the length of that data to have the server echo it back. This is a sort of ‘keep-alive’ process, and due to improper checking of the length that is sent, we can request an echo of data longer than what we send up to 64 KiB. This results in the information in chunks of memory being sent back to us which can contain sensitive information about current or recent sessions on the server including keys and/or credentials. The ClientHello structure for this version of TLS, according to RFC 5246, is:

struct {

          ProtocolVersion client_version;

          Random random;

          SessionID session_id;

          CipherSuite cipher_suites<2..2^16-2>;

          CompressionMethod compression_methods<1..2^8-1>;

          select (extensions_present) {

              case false:

                  struct {};

              case true:

                  Extension extensions<0..2^16-1>;

          };

      } ClientHello;

Examining the script, I can see the build_client_hello function building this structure in hexadecimal and the build_heartbeat function specify a length of 0x40, which corresponds to our max of 64 KiB, triggering bleeding of data in memory. I am satisfied enough with my understanding to go ahead and run this script and hopefully obtain some juicy credentials.

The Exploit

Executing our heartbleed.py script against Valentine revealed some interesting information. Most notably was a string $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== which appears to be a base64 encoded string. We also see calls to a previously undiscovered page /decode.php. Pasting the text string into decode.php reveals the phrase heartbleedbelievethehype. This sounds like it could be a passphrase for our hype_key. Lets give it a shot.

That didn’t work but it is trying to log in as root, maybe the passphrase is for a different user. The key is named hype_key, so it wouldn’t be a stretch for it to be the key for a user named hype. Bingo.

With our newly acquired SSH terminal it’s time to do some post exploitation recon to identify methods a way to elevate us to root.

Post Exploitation Recon

First lets create a new directory under our current home folder to use as a working directory so anything we do is clearly separated from the challenge machines files. I do this so my work doesn’t interfere with or give away anything to other HTB members currently working on the system and to facilitate cleaning up when I am done. My working directory will be called HTB_jacampbell.

On my Kali system, the first thing I will do is start up a python SimpleHTTPServer on port 80 in order to pull any scripts I will want to use over to the target. My standard scripts that I run include Linuxprivchecker.py (https://www.securitysift.com/download/linuxprivchecker.py), unix-privesc-check(ships with Kali) and linenum.py(https://github.com/rebootuser/LinEnum). Along with these scripts, I check ps -aux for any low lying fruits in the form of services running as root that provide a means to escalation.

At this point, people keep trashing the box with dirty_c0w so I can no longer grab screenshots as I am doing this writeup postmortem.

I spent a good deal of time digging through the output of my scripts and going down the wrong paths. This provided a LOT of learning experience despite not leading to rooting the system so I will summarize the routes I investigated:

SUID/SGID files, using the find command to find these and examining them for possible paths to root. Most notable to me was the games gnomine and mahjongg running as root. Started to dig into source and such for possible exploits but decided to table this effort to continue looking at other means since the box was rated fairly easy.

learned about ltrace to identify library calls used by SUID/SGID files to looks for system syscalls where paths were not fully qualified. This can lead to having my own malicious library executed as root instead of the intended. Again, tabled this method after some tinkering due to the box rating.

Spent a good deal of time learning everything I could about crontab and related functionality. I did not have write access to any of the required directories, but I could read. Examined existing scripts for calls to functionality without fully qualified paths hoping to find one that I could redirect to my own executable. Most calls in the existing scripts included the full path, /usr/bin/, however there was one call to ‘sed’ with no path. Made a note to come back to this to see if I could get it pointed to my own malicious ‘sed’ and tabled due to box difficulty rating.

Work got busy for a few days so afterwards I came back with fresh eyes and mind, and noticed in the ps -aux output a process running as root for tmux. Being unfamiliar with tmux I did some digging. Online resources and man pages show that this utility can connect to a remote server with the -S flag, which we also see in the ps -aux output.

From the terminal, tmux -S /.devs/dev_sess connects us to the tmux session as root and we are able to recover all flags.

Securing the System

Misconfigurations that allowed us to own this system include but are not limited to:

  • Directory enumeration with dev notes and the private RSA key available through browser.
    • Development notes and keys should not exists on your public web server, and the server should be configured to not allow enumeration and navigation to non related directories.
  • Outdated version of OpenSSL allowed leaking of confidential information. This should be updated to the most recent version, and a system for regularly scheduled patching should be implemented to stay on top of issues such as this for all production environments.
  • The tmux session is what allowed escalation to root. If the intent of the session can be fulfilled as an unprivileged user, then this would be ideal. Possibly create a new user with only the permissions required and have the session run as that user instead of root. Also using the wemux package to allow read only access to users can be a good decision here if the user only requires monitoring of the jobs running in tmux.

If you found this content helpful, please consider donating your favorite cryptocurrency below.

  • Bitcoin
  • Ethereum
  • Cardano
  • Xrp
  • Litecoin
  • Stellar
  • Bitcoin cash
  • Dogecoin
  • Usdcoin
  • Aave
  • Uniswap
  • Wrappedbitcoin
  • Eos
  • Cosmos
  • Synthetix
  • Dash
  • Maker
  • Dai
  • Ethereum classic
Scan to Donate Bitcoin to 3ENZABkzJ8V2u3ewaHGFmsWx3i7pdy47Nr

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0a7B929203F77353DDBF9419Fc0d50a50932010c

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Cardano to DdzFFzCqrhsuy6avGUazSq2S5VKEBS6rTxo1Cy71DKwozED8nXFwtzAZda4u5GbE3B4oKFwKVNw3fbAfCrkRdpv8pma83rsgokDk1CTy

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::2447425404

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to LXQcKbXSemXnF3VNH5Ez7n4SDUFTkh1uJp

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::639763260

Donate Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to 17iu6o47bdYRbGoxV3WeWUCUBcYZsrXYeG

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DNserpUCc77Q9EvoU2BePPMnB2nJzJcbRW

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0xC8354d47Df616EbEb9E91b65C64F352Ce2457215

Donate Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x268a1fc2eF33c37c0f6D593C17886c2105456f7C

Donate Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xf83FA7Ef077fDA536029EC1F6B73CC87d1D33a54

Donate Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0xac7C2A4a700a3c6B341658960C7e99BcC7A93387

Donate Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::2151882130

Donate Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1scwcfre6h4c7epkyrdfegpeaz8umqldl50gn8w

Donate Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Tag/Note:- 102476592
Scan to Donate Synthetix to 0x89Ee88FdD6B30f72a8e6E6BF3F948Ac3B45e16A8

Donate Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XoMHNXYDx37sDq4bij96cTEpcBznLsbaab

Donate Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xF72Ace0DdCa3b8e2F691700d8a78282b5d628E12

Donate Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x22675f754c285bCD7fF8D411Eca32348021a4162

Donate Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x03DC1DeFBaFD17Ebf77827faEAc5E50AB90e3b52

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Leave a Reply