HTB Valentine

Run a nmap scan to find for open ports.

Web server shows just an image.

Run a gobuster scan to find for directories.

Looks like some kind of hex key.

Use a decoder on the hex file and it is a RSA private key.

Tried using the private key to ssh into the user but needed a pass phrase. Used john to crack the hash but no password found.

From the theme of the box and the image on the webserver it seems to be a heartbleed exploit.

Let’s use nmap to check for this vulnerability.

From the vulnerability check heartbleed (CVE-2014-0160) can be exploited with a python file.

There are couple of heartbleed exploit scripts around. I use the following here

Run the exploit using python2.

A base64 code is found.

Head to the webserver decoder and decode the base64 text.

A potential passphrase is found.

Login with private key and the newly found passphrase.

heartbleedbelievethehype

On the first attempt I get an error message , use the additional flag to gain access.

The first flag is found.

Use LinEnum to find for privileged escalations.

From ps aux we can see root is running on tmux.

Run the following command to gain a root shell : tmux -S /.devs/dev_sess

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this: