Hack The Box Write-Up Valentine

How I obtained root access on the Valentine machine from Hack The Box.

Introduction

Hack The Box is an online platform that hosts virtual machines that are vulnerable by design to sharpen one’s penetration testing and security skills. Valentine was a fun machine to compromise as it suffers from a very well-known vulnerability. In addition to this well-known vulnerability one needs several other puzzle pieces to gain root access. This makes the Valentine machine an interesting learning experience.

Tools Used

  • Nmap
  • Firefox
  • Gobuster
  • Base64 and Hex en- and decoding
  • Searchsploit
  • Python
  • SSH Client
  • Tmux

Enumeration: Nmap

Running an initial scan with Nmap reveals ports 22, 80 and 443 are open. 800x400

Running a targeted service scan against ports 22, 80 and 443 reveals an OpenSSH server and the Apache webserver. Both services have out of date version numbers making it highly likely that the operating system running on the machine is out of date. 800x400

Enumeration: Firefox

A visit to the website on port 443 and 80 with the Firefox browser reveals an image with the heartbleed logo but not much else. 800x400

Enumeration: Gobuster

Digging a bit deeper a Gobuster scan reveals several interesting directories that are worth investigating. 800x400

Enumeration: Firefox

The encode directory seems to contain an encoder of some sort. 800x400

Testing the encoder with the string “test” reveals encoded text. Looking at the output the encoder most likely uses base64 as the encoding scheme. 800x400

Running the echo command with the output of the encoder and piping it to base64 -d to decode reveals the initial “test” string. This confirms the encoder uses base64 as encoding scheme. 800x400

Investigating further the dev directory reveals several interesting files. 800x400

Investigating the hype_key file reveals a lot of text. Looking at the output it seems like the contents is encoded with hex. 800x400

Using an online tool to decode the hex to ascii reveals what appears to be an encrypted SSH private key file. 800x400

Enumeration: Nmap

The image discovered in the root of the website gives a strong hint towards the Heartbleed vulnerability. Because of this it is good practice to investigate if the machine is vulnerable. 800x400

An Nmap scan confirms that the Valentine machine is vulnerable to the Heartbleed bug.

Enumeration: Searchsploit

A quick search with searchsploit reveals several public exploits for the Heartbleed bug. 800x400

As Python is my language of choice I copy the Python exploit from the local exploit database. 800x400

Exploitation: Heartbleed Memory

Enumerating the memory of the machine with the Python exploit reveals a base64 encoded string. At first this does not seem like much but realising that a base64 encoder and decoder is hosted on the server makes this a bit suspicious. 800x400

Decoding the base64 string from the memory dump reveals something that looks a lot like a passphrase that might be a match with the previously discovered hype_key SSH private key file. 800x400

Exploitation: Initial Shell

Using SSH with the hype_key private key and the passphrase recovered from memory results in an initial shell on the target as the hype user. 800x400

Privilege Escalation

Investigating the home directory of the Hype user reveals the .bash_history file. This seems out of place as this functionality is usually disabled on Hack The Box machines. 800x400

Investigating further the .bash_history file reveals some interesting contents. The Hype user seems to have been running Tmux and created a Tmux socket file that is saved to /.dev/dev_sess. 800x400

Investigating the Tmux socket file reveals it is owned by the root user and has the SUID bit set. Also note that the group hype has read/write privileges on the file making it possible to use it. 800x400

Exploitation: Root

Attaching to the Tmux socket file with the command tmux -S /.devs/dev_sess grants root privileges fully compromising the Valentine machine. 800x400

Remediation

The Valentine machine hosted several sensitive files on a publicly accessible webserver. Furthermore, the Valentine machine runs an outdated operating system and outdated software making it vulnerable to the Heartbleed bug. This in turn made it possible to extract sensitive information from memory leading to a low privileged SSH session. After gaining access to the machine several configuration errors where discovered that made it possible to escalate privileges to the root user.

  • Remove all sensitive files from the public webserver
  • Update the operating system and installed software to a supported version to protect against known vulnerabilities
  • Configure Bash history in such a way that it clears the history when logging out
  • Prevent the use of SUID bits on files that can be read and or written to by other users than root and leverage sudo to elevate privileges instead

© 2018. All rights reserved.