Valentine
Task 1 - Deploy the machine
🎯 Target IP: 10.129.236.216
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
Task 2 - Reconnaissance
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
2.1 - How many TCP ports are open on the remote host?
sS
SynScan
sC
run default scripts
sV
enumerate versions
A
aggressive mode
T4
run a bit faster
oN
output to file with nmap formatting
It looks like there are 3 open TCP ports on the machine: 22, 80, 443.
3
2.2 - Which flag is used with nmap to execute its vulnerability discovery scripts (with the category "vuln") on the target??
Now, we take more precise scan utilizing -sCV flags to retrieve versioning services and test common scripts.
Since we lack credentials for SSH login, we will begin by examining ports 80 and 443.
Port 80 and 443
Browsing it we don't find nothing of interesting, we can launch a whatweb and gobuster dir scan enumeration, same thing for each ports
We discover interested directories, I'll explore them later.
In this case, the question doesn't concern the machine, but is a generic question regarding nmap's parameters.
--script vuln
2.3 - What is the 2014 CVE ID for an information disclosure vulnerability that the service on port 443 is vulnerable to?
These and the previous questions hint at using the --script vuln
flag for port 443. By googling, we can identify potential vulnerabilities. We then try to find a vulnerability related to the machine's theme (Valentine) and the image on the index page.
There's a dedicated nmap script to test following Heartbleed vulnerability:
CVE-2014-0160
2.4 - What password can be leaked using (CVE-2014-0160)?
This github repo contains PoC and relative exploit for this vulnerability:
Using the above exploit, it is fairly straightforward to obtain some sensitive information from memory. Running it several times should yield a base64-encoded string.
In this case, we decide to exploit it using metasploit module dedicated for this vulnerability:
We use spool memory_leak.txt
command to save it locally, and run it more times to see various memory output.
Doing it we found this interesting string, in details:
that is a base64 string.
heartbleedbelievethehype
2.5 - What is the relative path of a folder on the website that contains two interesting files, including note.txt?
Going to 'hidden' web dir discovered using gobuster: /dev we can see that there're two interesting files:
notes.txt
hype_key
/dev
2.6 - What is the filename of the RSA key found on the website?
hype_key
hype_key
Task 3 - Find user flag
3.1 - Submit the flag located in the hype user's home directory.
We can convert hype_key (hex) to ASCII
and we obtain an encrypted RSA private key (maybe as id_rsa to SSH access), saved into id_rsa_psw.
We just know an hypotetic password: heartbleedbelievethehype then we can try decode it:
openssl rsa -in id_rsa_psw
ssh hype@valentine.htb -i id_rsa
3.2 - What is the name of the terminal multiplexing software that the hype user has run previously?
tmux
3.3 - What is the full path to the socket file used by the tmux session?
/.devs/dev_sess
3.4 - What user is that tmux session running as?
root
Task 4 - Find root flag
4.1 - Submit the flag located in root's home directory.
Last updated