This write-up is for the hackthebox Valentine machine. April 2014 is well-known to Software industry folks due to the emergence of the Heartbleed bug. This issue caused a major crisis for IT professionals around the world who struggled to contain its impact. The actual cost of this bug is hard to estimate but a few put an initial number of around $500 million. This writeup shows how an attacker can exploit the Heartbleed bug.
Let’s start with the info-card for this box.
This is a Linux machine that is rated as Easy. Its IP address is 10.10.10.79. The radar graph has a strong inclination towards CVE with a milder inclination towards the RealLife metric.
Let’s start active recon with the Nmap TCP scan.
nmap -A -T4 -p- -oX tcp_scan_results.xml 10.10.10.79
Below are the results produced by this scan.
I also performed a UPD scan but it took way too long without providing any results.
nmap -sU -p- -oX udp_scan_results.xml 10.10.10.79
Recon Results Analysis
NMap scan found Apache version 2.2.22 is running on ports 80 and 443. Further, it discovered that SSH port 22 is also open running version 5.91 of OpenSSH.
Since TCP scan results reported both the ports 80 and 443 open, let’s launch the browser and visit the HTTP and HTTPS pages. As shown below, both of the pages are showing the same image.
The source code of the pages did not reveal anything interesting.
Let’s launch the dirBuster with the following settings to discover what files/directories may be available.
The results of the dirBuster are shown below.
It’s important to note from scan results that the version of OpenSSH running on this box (5.91) is quite old. As of the time of writing of this post, the latest OpenSSH version available is 8.1. Also googling the Ubuntu version that is shipped with Apache 2.2.22 shows that it’s likely uploaded in the Precise package that was released back in 2012–2014. All this means that the OS itself and the applications look quite old and it’s worth to run a vulnerability scan using the following NMap script.
NMap --script vuln 10.10.10.79
The result of this scan is shown below.
In all, this scan is reporting three vulnerabilities.
- Man in the Middle attack vulnerability CVE-2014–0224
- Heartbleed Bug CVE-2014–0160
- SSL POODLE Information Leakage CVE-2014–3566
Enumeration Results Analysis
Enumeration found several vulnerabilities including the Heartbleed.
Let’s start by browsing the files found by dirBuster. The contents of dev/notes.txt are shown below.
Next, I browse to the /dev/hype_key that seems to show that file contents are in the hex format.
I saved these contents to a file key and then used xxd to try to convert hex codes into ASCII with the following parameters.
- -r: Reverse operation
- -p: outputs in plain hexdump style.
This generated the following output that is an RSA private key.
I saved these contents into a file named ssh_key. Its time to attempt to login with SSH. We don’t know the username though. I tried a few common default ones and it eventually worked with user name hype. This username hint I got from the hype_key file that was stored in the /dev folder that gave us the RSA private key. However, it is asking us to provide the passphrase.
Googling for heartbleed exploit gave me a python script that can be run as follows.
python heartbleed.py -n 100 -a heartbleed-output 10.10.10.79
The description of the parameters used in this script is as follows.
- -n: Number of times to connect/loop
- -a: Dump the ASCII contents to a file
Running this script first confirmed the server is Vulnerable.
The script then started dumping out the memory contents of the server with some repeated patterns. Some of the contents looked to be Based64 encoded.
Decoding it may have potentially given us the passphrase to log in to SSH.
Let’s try to login using the passphrase, it gave me following error about the permissions for ssh_key file.
I granted the required permissions using chmod 600 to the file. With that, I was able to log in and gain a low-privilege access.
Of course, the next step was to grab the user flag.
Now that we have the user flag, its time to attempt privilege escalation to get the root flag. For that, I am going to try the LinEnum script. I downloaded it on my attack machine and then launched a web server.
I then downloaded the file into victim box.
Running the script gave us lot of information. One interesting one was about running list of processes including a tmux session that is owned by root user.
tmux is basically a terminal multiplexer that can be used to allow multiple terminal sessions to be accessed simultaneously in a single window. Since there is already an active tmux session, we can just attach to it using the following command.
Bingo, that gave us the root shell as well as the root flag.
Root Cause Analysis
- Running a vulnerable version of OpenSSH
- Exposure of private key using web-interface