Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
Task 2 - Reconnaissance
su
echo "10.129.236.216 valentine.htb" >> /etc/hosts
mkdir -p htb/valentine.htb
cd htb/valentine.htb
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 valentine.htb
PING valentine.htb (10.129.236.216) 56(84) bytes of data.
64 bytes from valentine.htb (10.129.236.216): icmp_seq=1 ttl=63 time=61.0 ms
64 bytes from valentine.htb (10.129.236.216): icmp_seq=2 ttl=63 time=59.5 ms
64 bytes from valentine.htb (10.129.236.216): icmp_seq=3 ttl=63 time=60.0 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
2.1 - How many TCP ports are open on the remote host?
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/https Apache/2.2.22 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2018-02-06T00:45:25
| Not valid after: 2019-02-06T00:45:25
| MD5: a413:c4f0:b145:2154:fb54:b2de:c7a9:809d
|_SHA-1: 2303:80da:60e7:bde7:2ba6:76dd:5214:3c3c:6f53:01b1
|_ssl-date: 2024-07-14T09:44:55+00:00; 0s from scanner time.
Since we lack credentials for SSH login, we will begin by examining ports 80 and 443.
Port 80 and 443
Browsing it we don't find nothing of interesting, we can launch a whatweb and gobuster dir scan enumeration, same thing for each ports
gobuster dir -u http://valentine.htb -w /usr/share/wordlists/dirb/common.txt
We discover interested directories, I'll explore them later.
In this case, the question doesn't concern the machine, but is a generic question regarding nmap's parameters.
--script vuln
2.3 - What is the 2014 CVE ID for an information disclosure vulnerability that the service on port 443 is vulnerable to?
These and the previous questions hint at using the --script vuln flag for port 443. By googling, we can identify potential vulnerabilities. We then try to find a vulnerability related to the machine's theme (Valentine) and the image on the index page.
There's a dedicated nmap script to test following Heartbleed vulnerability:
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://www.openssl.org/news/secadv_20140407.txt
|_ http://cvedetails.com/cve/2014-0160/
CVE-2014-0160
2.4 - What password can be leaked using (CVE-2014-0160)?
This github repo contains PoC and relative exploit for this vulnerability:
Using the above exploit, it is fairly straightforward to obtain some sensitive information from memory. Running it several times should yield a base64-encoded string.
In this case, we decide to exploit it using metasploit module dedicated for this vulnerability:
We use spool memory_leak.txt command to save it locally, and run it more times to see various memory output.
Doing it we found this interesting string, in details:
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==
that is a base64 string.
heartbleedbelievethehype
2.5 - What is the relative path of a folder on the website that contains two interesting files, including note.txt?
Going to 'hidden' web dir discovered using gobuster: /dev we can see that there're two interesting files:
notes.txt
hype_key
/dev
2.6 - What is the filename of the RSA key found on the website?
hype_key
hype_key
Task 3 - Find user flag
3.1 - Submit the flag located in the hype user's home directory.
We can convert hype_key (hex) to ASCII
and we obtain an encrypted RSA private key (maybe as id_rsa to SSH access), saved into id_rsa_psw.
We just know an hypotetic password: heartbleedbelievethehype then we can try decode it:
openssl rsa -in id_rsa_psw
ssh hype@valentine.htb -i id_rsa
🚩 Flag 1 (user.txt)
5d03664f2ed9ba6767660926fcaa97b9
3.2 - What is the name of the terminal multiplexing software that the hype user has run previously?
tmux
3.3 - What is the full path to the socket file used by the tmux session?
/.devs/dev_sess
3.4 - What user is that tmux session running as?
root
Task 4 - Find root flag
4.1 - Submit the flag located in root's home directory.