Valentine - Hackthebox.eu
The Valentine box is an interesting machine it combines two vulnerabilities which are easily exploitable and have high rewards. The vulnerabilities on the box are the HeartBleed and DirtyCOW.
The HeartBleed bug CVE-2014–0160 (http://heartbleed.com/), discovered in 2014. The bug affected OpenSSL, which when exploited would leak information held in memory this could leak information such as private keys and other important sensitive information such as login details or payment information.
The other vulnerability was DirtyCOW CVE-2016–5195 (https://dirtycow.ninja/) which is another bug that allows for a privilege escalation. The exploit is a race condition exploit which could allow an unprivileged user to be able to have write permissions to a protected file which would increase an unprivileged user’s permissions.
Now to the hack.
On loading the site, you are presented with an image of a girl screaming and a heart, I was not able to find any metadata in this image or anything hidden in the hex of the image. It gives a good hint though to the exploit that will be needed later on.
I first scanned the site to see what services were running on the machine, these were; Open SSH 5.9p1 on port 22, Apache httpd 2.2.22 on port 80 and SSL on port 443. There was nothing of particular interest that stood out at first glance.
I then enumerate the web server with dirb which reveals some interesting information. “/cgi-bin” was inaccessible, “/decode” was a base 64 decoder, “/dev” was a directory holding two files, “/encode” contained a base64 encoder, “index” and “index.php” were the home page and “server-status” was inaccessible.
Navigating to “/dev” contained two files. An encrypted private key called “hype_key”.
“Hype_key” contained an encoded ASCII text file put this through a decoder gave us an encrypted private key, this will be important later on.
The “notes.txt” file had some information. I believe this file was here to mislead you by trying to point you to potential vulnerable services on the website.
Both encoders/decoders did the same function. When data was entered it would encode it or decode but there nothing of interest here. I was able to utilise cross-site script but nothing came of this attack. I believe that these could have potentially been a decoy.
Further enumeration of the server leads me to believe that the OpenSSL was vulnerable to Heartbleed. I was able to confirm this with a nmap scan targeting the service.
Using a downloaded exploit, I was able to call out to the service which would leak information as you can see here. The text is encoded in base64.
Decoding this base64 text gave me the phrase “heartbleedbelievethehype”.
I believed using the phrase given with the private key in the /dev directory would give me root access ahhhh, how naïve of me! All I got was asked for the password again and when giving the decoded phrase would kick me out.
Further research made me believe the given key within /dev was an encrypted private key. I was able to decrypt this with the phrase “heartbleedbelievethehype” which spat out a private key.
I used the provided private key to then login. I believed that “hype” must be the username as users usually name their keys after there login, what clever people! This successful allowed me to get a user account.
To see what this machine is vulnerable to I ran Linux Enumeration. This allowed me to see what was on the machine and to see where there was easy pickings for vulnerabilities. The first obvious vulnerability is the kernel version 3.2.0–23 which is vulnerable to Dirty cow exploit (Vulnerable version Linux kernel 2.x through 4.x).
I then used this exploit to escalate my privileges to root https://www.exploit-db.com/exploits/40839/
And Success! I am now a root user on the machine.
This was a very exciting box to do complete, It was also my first successful Hack The Box! It taught me a lot and taught me about the processes I need to go through to perform a pen test.
I learnt the importance of the vulnerabilities Heartbleed and Dirty Cow and how they are still a common type of vulnerability that could be easily exploited in the real world.
From a simple Shodan search, I was able to find roughly 7000 servers that are still running the vulnerable service OpenSSL, that can still be exploited scary.
If you are interested you can also watch Ippsec video on the valentine box here: https://www.youtube.com/watch?v=XYXNvemgJUo