HackTheBox - Valentine

    Heartbleed came out not long after the time I began my journey into the security side of the house.  I recall a box that I believe was vulnerable to the the Heartbleed attack but I wasn't seasoned enough to know what to do with it. 

    When I saw the name Valentine on this box, I knew it was a clue -- most of the names ARE clues but I didn't hone in on it until I saw the main page for the website.






    Notice the similarity:







    We kick off with an Nmap scan:







    We see three ports open and I have an idea where this is headed but not exactly.  Looking at the web port with Nikto:







    Nikto uncovers /dev and we take a look:







    Two more nuggets.  First we check hype_key:







    That looks like hex, let's decode it:






    A private key and by the name, we assume the username is "hype" but when I attempt to use the key, I am prompted for a passphrase.  

    Moving on, I check out the note:





    We get some hints.  

    Let's dig a little deeper with GoBuster:







    More directories to explore:







    And:







    I play around with this to see if I can inject something but no such luck.  I play a bit more with Burp:







    Still nothing so I switch over to HeartBleed exploits:







    Truncating the noise, we get to the end....







    And we see that it's vulnerable but this script provides little value and I go hunting for another:







    The first script appears to be just for detection but this one is actually showing us leaked memory data:







    That looks like base64.  Let's decode:






    After decoding, I think I have the passphrase, I put the key and the phrase together and I'm able to login.

    Let's see what we're dealing with:






    This smells like DirtyCow.  But first, let's get the user.txt file:







    Going in for the kill:






    After the fact, I looked around and I think I found the intended method for root but root is root so what can I say.  I also think the entry is really what makes this box fun.  The privilege escalation is just the way to wrap it up and call it done.


    © 2020 sevenlayers.com