Valentine HackTheBox WalkThrough
This is Valentine HackTheBox machine walkthrough and is also the
19th machine of our
OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to
Valentine HackTheBox machine. Before diving into the hacking part let us know something about this box. It is a
Linux OS machine with IP address
10.10.10.79 and difficulty
easy assigned by its maker.
Since this machine is
retired on HackTheBox platform so you will require
VIP subscription at
hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with
HackTheBox VPN and confirm your connectivity with this machine by pinging its IP address 10.10.10.79. If all goes correct then start hacking. As usual I started by scanning the machine with Nmap. Scanning gives us some idea on how we have to proceed further. Like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-
$ sudo nmap -sC -sV -oA nmap/valentine 10.10.10.79
Nmap found ports
443 as open.
OpenSSH 5.9p1 on port 22,
apache2 web server on port 80 and apache2 over SSL on port 443 are running. Also nmap script
ssl-cert found a subdomain
valentine.htb. So before visiting the website at URL http://10.10.10.79 let us add the subdomain valentine.htb to the
hosts file of our machine. If virtual hosting is enabled then we should have another website to enumerate on. The hosts file is present in the directory
Hosts File After Modification
$ cat /etc/hosts
After going to URL http://valentine.htb found an image of a yelling girl with
Heartbleed vulnerability symbol. This bleeding heart is giving us
hint that this website is vulnerable to Heartbleed exploit. If you don’t know about Heartbleed vulnerability then check this official link of the company who has first discovered this vulnerability and given name & symbol to it.
Let us confirm whether this machine is actually vulnerable to
Heartbleed vulnerability or not. There are multiple ways by which we can confirm this vulnerability. You can either use nmap script
ssl-heartbleed.nse or metasploit scanner module
auxiliary/scanner/ssl/openssl_heartbleed or some other
GitHub tools. There are a lot present on GitHub. Just google
Heartbleed exploit GitHub and you have a number of tools available to use. I have used nmap script and metasploit module both to confirm this vulnerability.
Confirming Heartbleed Vulnerability using Nmap Script
$ nmap -p 443 --script ssl-heartbleed.nse 10.10.10.79
Confirming Heartbleed Vulnerability using Metasploit
msf6 > search openssl_heartbleed
msf6 > use auxiliary/scanner/ssl/openssl_heartbleed
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set RHOSTS 10.10.10.79
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set RPORT 443
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action SCAN
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run
Both the above methods revealed that this Valentine machine is vulnerable to Heartbleed exploit. Let us exploit this vulnerability to check what information is being leaked from the memory of valentine machine. I have used this GitHub tool. You can also use some other tool for this task.
Exploiting Heartbleed Vulnerability
$ git clone https://gist.github.com/eelsivart/10174134
$ cd 10174134/
$ python heartbleed.py 10.10.10.79
Exploitation revealed some
base64 encoded text. After decoding it I found
heartbleedbelievethehype. Don’t know exactly what it is, may be it is someone’s password! Anyway, added it to my cherry tree notes. It will be helpful for us when we find some username to check to login in it’s SSH account.
$ echo 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg=='| base64 -d
After some more enumeration at URL https://valentine.htb when I could not find anything interesting then I tried to
directory bruteforce using
$dirsearch (a directory brute forcer written in python) with its default wordlist.
$ sudo dirsearch -e all -t 30 -x 400,403 -u https://valentine.htb | tee dirsearch.out
Directory bruteforcing revealed
dev folder. After accessing this folder at URL https://valentine.htb/dev/ found
hype_key in hex encoded form. The key can be accessed at the URL https://valentine.htb/dev/hype_key.
Let us decode this key.
After decoding it we found
SSH Private Key. Then I copied it in a file
hype_key.pem. It appears that this SSH key is of user
hype (a/c to its name). When I tried to SSH into hype account using this key and password which we have noted in our cherry tree I could easily logged in. So here our SSH cred is
Getting User Shell
$ vi hype_key.pem
$ chmod 400 hype_key.pem
$ ssh -i hype_key.pem [email protected]
[email protected]:~$ whoami && id
We have successfully got user shell. Let us capture user flag.
Capture User Flag
$ cat Desktop/user.txt
To escalate the privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran
linpeas.sh (a post exploitation enumeration script). Linpeas finds all the potential vector (path) that can be used to escalate privilege.
Finding PrivEsc Vector
Linpeas found a
tmux session that can be used to escalate privilege. When I tried to execute
$/usr/bin/tmux -S /.devs/dev_sess command I could easily get root shell in tmux. So here our Privilege Escalation vector is getting root shell by using root tmux session.
Getting Root Shell
$ /usr/bin/tmux -S /.devs/dev_sess
Capture Root Flag
# cat /root/root.txt
This was how I rooted to Valentine HackTheBox machine. Hope you have got something to learn from this machine walkthrough. Feel free to ask your doubt in the comment section if you face any. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to contact us at [email protected].