Welcome to valentine and this gave me some trouble. I know people say it’s on the easier side of things but something about it took me a while to figure out what made this box tick. This machine is vulnerable to Heartbleed, which we will use to grab an SSH key and move on to privesc.
Our initial nmap scan reveals some working ports and a follow up UDP scan revealed one port:
On port 80 we are redirected to port 443:
It took me a while to identify what was happening here but this picture really was worth a thousand words. This machine is vulnerable to Heartbleed, a logic error that allowed attackers to grab random chunks of memory.
I found a script off serchsploit and ran it:
When I first ran it, my entire screen was covered in 0’s so I used `grep -v “00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00” to leave those lines out.
But it is vulnerable! Now what?
Well I ran it a few more times and noticed some interesting tidbits of info coming through:
I will keep that for later. I ran heartbleed a bunch of more times and got nothing so I went back to square one and enumerated some directories for the web address.
This directory has 2 files
- – hype key
- – notes
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don’t use the decoder/encoder until any of this is done.
6) Find a better way to take notes.
and hype key is a random bunch of hex numbers. I’ll try to decode this also:
Hmm a SSH key. This is nice. But it’s password protected and maybe the password we got from heartbleed is what we need?
Lets go over to
openssl and see if it works:
Now it’s time to SSH in. This part took me a while. I couldn’t for the life of me figure out the username. Simple CTF stuff too! Username was hype. Makes sense too: hype_key.
Now it’s time to escalate some privileges. I tried sudo -l and nothing. My next step is to see what processes are running as root.
When I first completed this box I used Dirty Cow but I always like to read up pm boxes after I complete to find out if I missed anything that could give me an edge on the OSCP.
Right there I can see tmux running as root! This is interesting because I should able to access tmux from the low priv user and I am pretty sure I could abuse this.
I run the history command and see:
From the looks of it we can run
tmux -S /.devs/dev_sess and we should be come root: