Valentine - Hackthebox.eu

The Valentine box is an interesting machine it combines two vulnerabilities which are easily exploitable and have high rewards. The vulnerabilities on the box are the HeartBleed and DirtyCOW.

The HeartBleed bug CVE-2014–0160 (http://heartbleed.com/), discovered in 2014. The bug affected OpenSSL, which when exploited would leak information held in memory this could leak information such as private keys and other important sensitive information such as login details or payment information.

The other vulnerability was DirtyCOW CVE-2016–5195 (https://dirtycow.ninja/) which is another bug that allows for a privilege escalation. The exploit is a race condition exploit which could allow an unprivileged user to be able to have write permissions to a protected file which would increase an unprivileged user’s permissions.

Now to the hack.

Home Page of the Valentine machine

On loading the site, you are presented with an image of a girl screaming and a heart, I was not able to find any metadata in this image or anything hidden in the hex of the image. It gives a good hint though to the exploit that will be needed later on.

Nmap Scan of the box

I first scanned the site to see what services were running on the machine, these were; Open SSH 5.9p1 on port 22, Apache httpd 2.2.22 on port 80 and SSL on port 443. There was nothing of particular interest that stood out at first glance.

Dirb Scan of the website

I then enumerate the web server with dirb which reveals some interesting information. “/cgi-bin” was inaccessible, “/decode” was a base 64 decoder, “/dev” was a directory holding two files, “/encode” contained a base64 encoder, “index” and “index.php” were the home page and “server-status” was inaccessible.

/dev directory

Navigating to “/dev” contained two files. An encrypted private key called “hype_key”.

Encoded hype_key

“Hype_key” contained an encoded ASCII text file put this through a decoder gave us an encrypted private key, this will be important later on.

Decoded encrypted private key
/dev/notes.txt

The “notes.txt” file had some information. I believe this file was here to mislead you by trying to point you to potential vulnerable services on the website.

Encoder
Decoder

Both encoders/decoders did the same function. When data was entered it would encode it or decode but there nothing of interest here. I was able to utilise cross-site script but nothing came of this attack. I believe that these could have potentially been a decoy.

Enumeration on the HTTPS service

Further enumeration of the server leads me to believe that the OpenSSL was vulnerable to Heartbleed. I was able to confirm this with a nmap scan targeting the service.

Exploiting Heartbleed

Using a downloaded exploit, I was able to call out to the service which would leak information as you can see here. The text is encoded in base64.

Decoding the base64 text

Decoding this base64 text gave me the phrase “heartbleedbelievethehype”.

Using the phrase to get access to root
Using the private key to gain access to root

I believed using the phrase given with the private key in the /dev directory would give me root access ahhhh, how naïve of me! All I got was asked for the password again and when giving the decoded phrase would kick me out.

Decrypting the encrypted key

Further research made me believe the given key within /dev was an encrypted private key. I was able to decrypt this with the phrase “heartbleedbelievethehype” which spat out a private key.

Private Key
SSHing into the server with the new private key

I used the provided private key to then login. I believed that “hype” must be the username as users usually name their keys after there login, what clever people! This successful allowed me to get a user account.

Linux box Enumeration — Kernel version

To see what this machine is vulnerable to I ran Linux Enumeration. This allowed me to see what was on the machine and to see where there was easy pickings for vulnerabilities. The first obvious vulnerability is the kernel version 3.2.0–23 which is vulnerable to Dirty cow exploit (Vulnerable version Linux kernel 2.x through 4.x).

I then used this exploit to escalate my privileges to root https://www.exploit-db.com/exploits/40839/

Running the exploit
Running the exploit
Escalating privileges to a root account!

And Success! I am now a root user on the machine.

Conclusion

This was a very exciting box to do complete, It was also my first successful Hack The Box! It taught me a lot and taught me about the processes I need to go through to perform a pen test.

I learnt the importance of the vulnerabilities Heartbleed and Dirty Cow and how they are still a common type of vulnerability that could be easily exploited in the real world.

From a simple Shodan search, I was able to find roughly 7000 servers that are still running the vulnerable service OpenSSL, that can still be exploited scary.

If you are interested you can also watch Ippsec video on the valentine box here: https://www.youtube.com/watch?v=XYXNvemgJUo

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store