Valentine
This is my write-up for the machine on Hack The Box called Valentine located at: https://app.hackthebox.com/machines/Valentine.
I started off with an nmap scan:
-21638612c279ddf1ca3ad6782c3bc7ca.png)
This was a preliminary scan. I then ran a deeper scan (nmap -T4 -A -v -Pn -p- 10.10.10.79 -oN valentine.nmap_full) to see if the basic scan missed anything:
-c0cc0cd1feeb7520f53dcf12529a5f87.png)
On port 80, we get greeted by the following image:
-cdbb5ac340810223c4c1f35822a20b2c.png)
I then ran the following dirsearch command to see what directories are available for me to access:
dirsearch -e php,html,js,cgi,bak,txt -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 50
I then saw from the results that /dev was available for me to access:
-9ff46446d3716b862547dc1fb4e6c85f.png)
notes.txt:
-5600764320bda957766bf762e8ca921d.png)
hype_key:
-da6f08b67101bdc6ebc878a733480443.png)
The hype_key file looked like hexadecimal to me, so I used an online converter to see if I can get the ASCII of it:
-41114fa1d91536739901502388c04b2b.png)
It seemed to be a private RSA key. At this time, my dirsearch command had completed from running:
-e02e98bb9b0435ea702da051e63c8a9f.png)
The /encode and /decode both look similar and both use base64 in order to decode and encode:
-9017600c8976abe5902db4355f7d083f.png)
(1)-4d66568d0d89c7bea77b18a816895226.png)
/omg turned out to be the picture on the home screen we saw earlier:
-82753e58332fe0c6a22c76cb40d90385.png)
In the notes, this stuck out to me:
(1)-b2aa8051c64ec314156ce377eab187be.png)
It seems the encoding and decoding is done server-side as well. I tried to run the following, in order to get a reverse shell, but it did not work:
-4a21ee0910b201c91262bfcae96d7097.png)
I was not sure how to bypass this, so I had to view the official Hack The Box write-up for this machine. Before I got any answers, I noticed this:
-b929d232b085ec052b3a589bed3eae94.png)
It seems that I have to exploit Heartbleed. Running a Metasploit module on it reveals that it is exploitable:
-49b91db1d31145350c437878bcc02dd5.png)
This did not get me anywhere, so I looked at the same write-up again and noticed that I didn't connect a couple of dots together. When I tried to use the private key that I had found earlier in the hype_key file, I was asked for a password, which I did not know. In addition, while I was running the Metaploit module, I kept on getting the following:
-a8711778b6b1b49e0a899afb24595b9b.png)
Decoding this gives us the following:
-8660e6cfe705b4b5353d72a5c3075a58.png)
The dots that I was not able to connect was that this was the password for the private key file. The username for the server, hype, I should have assumed since the name of the file was hype_key. Using this information, I was able to get a shell:
(1)-2b0729f6f662678290497d44b91838bd.png)
I then had gotten the user.txt flag:
(1)-d3768794dad93e28ef639aa0fd2b6abb.png)
I then imported linpeas.sh to the server using a python3 module:
-66e2cef3dd606a577a8366943ac6a35b.png)
(1)-98403d79c7da31fee9750d8b60ae2b7b.png)
Running linpeas.sh, I noticed something interesting:
I had access to the tmux program, but I did not know where to go from there. I then read the official write-up and found out that I overlooked the ps aux command that shows what processes are being run currently. This would have showed me a root command of tmux being ran. If I ran that myself, I then get root:
